| id: GO-2021-0412 |
| modules: |
| - module: github.com/containerd/imgcrypt |
| versions: |
| - fixed: 1.1.4 |
| vulnerable_at: 1.1.3 |
| packages: |
| - package: github.com/containerd/imgcrypt/images/encryption |
| symbols: |
| - cryptManifestList |
| derived_symbols: |
| - CheckAuthorization |
| - DecryptImage |
| - EncryptImage |
| summary: Incorrect authorization in github.com/containerd/imgcrypt |
| description: |- |
| The imgcrypt library provides API extensions for containerd to support encrypted |
| container images and implements the ctd-decoder command line tool for use by |
| containerd to decrypt encrypted container images. The imgcrypt function |
| CheckAuthorization is supposed to check whether the current used is authorized |
| to access an encrypted image and prevent the user from running an image that |
| another user previously decrypted on the same system. In versions prior to |
| 1.1.4, a failure occurs when an image with a ManifestList is used and the |
| architecture of the local host is not the first one in the ManifestList. Only |
| the first architecture in the list was tested, which may not have its layers |
| available locally since it could not be run on the host architecture. Therefore, |
| the verdict on unavailable layers was that the image could be run anticipating |
| that image run failure would occur later due to the layers not being available. |
| However, this verdict to allow the image to run enabled other architectures in |
| the ManifestList to run an image without providing keys if that image had |
| previously been decrypted. A patch has been applied to imgcrypt 1.1.4. |
| Workarounds may include usage of different namespaces for each remote user. |
| published: 2022-04-28T23:35:11Z |
| cves: |
| - CVE-2022-24778 |
| ghsas: |
| - GHSA-8v99-48m9-c8pm |
| credits: |
| - '@dimitar-dimitrow' |
| references: |
| - fix: https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9 |
| - web: https://github.com/containerd/imgcrypt/issues/69 |
| - web: https://github.com/containerd/imgcrypt/releases/tag/v1.1.4 |
| review_status: REVIEWED |