CVE-2022-24778: Incorrect Authorization in imgcrypt
First published: Fri Mar 25 2022(Updated: )
A flaw was found in the imgcrypt library when checking the keys of an authorized user to access an encrypted image on systems where layers are not available and cannot run on the host architecture. This flaw allows an attacker to run an image without providing the previously decrypted keys.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linuxfoundation Imgcrypt | <1.1.4 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| redhat/imgcrypt | <1.1.4 | 1.1.4 |
| go/github.com/containerd/imgcrypt | <1.1.4 | 1.1.4 |
| <1.1.4 | ||
| =34 | ||
| =35 | ||
| =36 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-24778 https://nvd.nist.gov/vuln/detail/CVE-2022-24778 https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm
- https://bugzilla.redhat.com/show_bug.cgi?id=2069368
- https://access.redhat.com/errata/RHSA-2022:4956
- https://access.redhat.com/errata/RHSA-2022:5070
- https://access.redhat.com/errata/RHSA-2022:8827
- https://access.redhat.com/security/cve/cve-2022-24778
- https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9
- https://github.com/containerd/imgcrypt/issues/69
- https://github.com/containerd/imgcrypt/releases/tag/v1.1.4
- https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SJUNSC7YZLA745EMKWK2GKEV57GE52K/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAHAAOOA3KZJC2I5WHCR3XVBJBNWTWUE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFTJR5CR5EOYDVOSBZEMLBHLJRTPJPUA/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2069369
- https://access.redhat.com/errata/RHSA-2022:1476
- https://nvd.nist.gov/vuln/detail/CVE-2022-24778
- https://pkg.go.dev/vuln/GO-2021-0412
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SJUNSC7YZLA745EMKWK2GKEV57GE52K
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAHAAOOA3KZJC2I5WHCR3XVBJBNWTWUE
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFTJR5CR5EOYDVOSBZEMLBHLJRTPJPUA
- https://github.com/advisories/GHSA-8v99-48m9-c8pm (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4SJUNSC7YZLA745EMKWK2GKEV57GE52K/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAHAAOOA3KZJC2I5WHCR3XVBJBNWTWUE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZFTJR5CR5EOYDVOSBZEMLBHLJRTPJPUA/
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-24778
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8v99-48m9-c8pm
- agent/severity
- agent/description
- agent/references
- agent/softwarecombine
- agent/author
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/tags
- agent/event
- vendor/linuxfoundation
- canonical/linuxfoundation imgcrypt
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- package-manager/redhat
- package-manager/go