CVE-2022-24778

Name of the Vulnerable Software and Affected Versions imgcrypt versions prior to 1.1.4

Description The imgcrypt library provides API extensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function CheckAuthorization is supposed to check whether the current user is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. This verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted.

Recommendations For imgcrypt versions prior to 1.1.4, update to version 1.1.4 or later to apply the patch. As a temporary workaround, consider using different namespaces for each remote user to minimize the risk of exploitation.