CVE-2022-24778

{"id": "CVE-2022-24778", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-03-25T18:15:22.830", "references": [{"url": "https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/containerd/imgcrypt/issues/69", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/containerd/imgcrypt/releases/tag/v1.1.4", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4SJUNSC7YZLA745EMKWK2GKEV57GE52K/", "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAHAAOOA3KZJC2I5WHCR3XVBJBNWTWUE/", "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZFTJR5CR5EOYDVOSBZEMLBHLJRTPJPUA/", "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user."}, {"lang": "es", "value": "La biblioteca imgcrypt proporciona extensiones de la API para que containerd admita im\u00e1genes de contenedor cifradas e implementa la herramienta de l\u00ednea de comandos ctd-decoder para que containerd la use para descifrar im\u00e1genes de contenedor cifradas. La funci\u00f3n imgcrypt \"CheckAuthorization\" es supuesto que comprueba si el usuario actual est\u00e1 autorizado a acceder a una imagen encriptada y evita que el usuario ejecute una imagen que otro usuario haya desencriptado previamente en el mismo sistema. En versiones anteriores a 1.1.4, es producido un fallo cuando es usada una imagen con una ManifestList y la arquitectura del host local no es la primera de la ManifestList. S\u00f3lo es comprobada la primera arquitectura de la lista, que pod\u00eda no presentar sus capas disponibles localmente al no poder ejecutarse en la arquitectura del host. Por lo tanto, el veredicto sobre las capas no disponibles fue que la imagen pod\u00eda ser ejecutada anticipando que el fallo de ejecuci\u00f3n de la imagen ocurrir\u00eda m\u00e1s tarde debido a que las capas no estaban disponibles. Sin embargo, este veredicto de permitir la ejecuci\u00f3n de la imagen permit\u00eda a otras arquitecturas de la ManifestList ejecutar una imagen sin proporcionar claves si esa imagen hab\u00eda sido descifrada previamente. Ha sido aplicado un parche a imgcrypt versi\u00f3n 1.1.4. Las mitigaciones pueden incluir el uso de diferentes espacios de nombres para cada usuario remoto"}], "lastModified": "2023-11-07T03:44:36.740", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:imgcrypt:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E47F333A-A481-488E-817D-59C3C7691D66", "versionEndExcluding": "1.1.4"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}