Wl2018

**Name of the Vulnerable Software and Affected Versions** Incus versions prior to 6.23.0 **Description** Incus lacks validation of the image fingerprint when downloading from simplestreams image servers. This can lead to image cache poisoning, potentially allowing an attacker to provide a compromised image to other users on the system under narrow circumstances. An attacker requires access to an Incus server without proper image source restrictions (like `restricted.image.servers` or equivalent firewall rules) and the ability to predict which images other users might deploy. The attack involves serving a compromised image with the same fingerprint as a legitimate one, potentially replacing the legitimate image in the cache. This could affect systems running ephemeral instances for CI or build purposes, where image usage is more predictable. **Recommendations** Versions prior to 6.23.0 should be updated to version 6.23.0 or later. As a temporary workaround, configure `restricted.image.servers` in the project configuration or implement equivalent firewall or HTTP proxy policies to restrict image sources.