CVE-2022-24778: CWE-863: Incorrect Authorization in containerd imgcrypt
The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user.
AI Analysis
Technical Summary
CVE-2022-24778 is a medium-severity vulnerability affecting the imgcrypt library, a component of containerd responsible for supporting encrypted container images. Imgcrypt provides API extensions and a command-line tool (ctd-decoder) used by containerd to decrypt encrypted container images. The vulnerability arises from an incorrect authorization check in the `CheckAuthorization` function. This function is designed to ensure that a user can only run encrypted container images if they are authorized and have the appropriate decryption keys, preventing unauthorized reuse of decrypted images by other users on the same system. The flaw specifically manifests when an image contains a ManifestList (a multi-architecture image manifest). Prior to version 1.1.4, the authorization check only evaluated the first architecture listed in the ManifestList. If the host's architecture was not the first in the list, the function would incorrectly assume that the image layers for the first architecture were unavailable locally and would allow the image to run without proper authorization. This behavior inadvertently permitted users to run images of other architectures without providing decryption keys, as long as those images had been previously decrypted by another user on the same system. This bypass of authorization checks could lead to unauthorized access to encrypted container images. The root cause is the incomplete verification of all architectures in the ManifestList, leading to an incorrect authorization verdict. The issue was fixed in imgcrypt version 1.1.4 by properly validating authorization across all architectures in the ManifestList. As a workaround, it is recommended to use separate namespaces for each remote user to isolate decrypted images and prevent unauthorized reuse. No known exploits are reported in the wild, but the vulnerability poses a risk in multi-user environments where encrypted container images are shared on the same host system. The vulnerability falls under CWE-863 (Incorrect Authorization), indicating a failure to enforce proper access control policies.
Potential Impact
For European organizations, especially those leveraging containerized environments with encrypted images, this vulnerability could lead to unauthorized access to sensitive container images. This unauthorized access could expose proprietary application code, sensitive configuration data, or intellectual property embedded within encrypted images. In multi-tenant or shared infrastructure environments common in European data centers and cloud providers, the risk is amplified as multiple users may share the same host system. Attackers or unauthorized users could run container images without possessing the required decryption keys, potentially leading to data leakage or unauthorized execution of privileged container workloads. The impact on confidentiality is significant due to potential exposure of encrypted image contents. Integrity could be indirectly affected if unauthorized users modify or replace container images after unauthorized access. Availability impact is limited but could arise if unauthorized execution leads to resource exhaustion or denial of service. Given the vulnerability requires local access and the presence of multi-architecture images, the scope is somewhat constrained but relevant in environments with diverse architectures and shared usage. European organizations in sectors such as finance, manufacturing, and critical infrastructure that rely on containerized deployments and encrypted images should consider this vulnerability seriously. Compliance with data protection regulations like GDPR may also be impacted if sensitive data is exposed due to this flaw.
Mitigation Recommendations
1. Upgrade imgcrypt to version 1.1.4 or later to apply the official patch that corrects the authorization logic. 2. Implement strict namespace isolation for container runtimes, ensuring that each user or tenant operates within separate namespaces to prevent unauthorized reuse of decrypted images. 3. Audit container image manifests for multi-architecture ManifestLists and consider limiting usage to single-architecture images where feasible to reduce attack surface. 4. Enforce strict access controls and monitoring on hosts running containerd and imgcrypt, including logging of image decryption and execution events. 5. Regularly review and update container runtime configurations to ensure that encryption keys and credentials are securely managed and not shared across users. 6. Conduct penetration testing and security assessments focusing on container image encryption and authorization mechanisms. 7. Educate DevOps and security teams about the risks associated with multi-architecture encrypted images and the importance of applying patches promptly. These measures go beyond generic advice by focusing on container runtime configuration, namespace isolation, and operational security practices tailored to the specific nature of this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy
CVE-2022-24778: CWE-863: Incorrect Authorization in containerd imgcrypt
Description
The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user.
AI-Powered Analysis
Technical Analysis
CVE-2022-24778 is a medium-severity vulnerability affecting the imgcrypt library, a component of containerd responsible for supporting encrypted container images. Imgcrypt provides API extensions and a command-line tool (ctd-decoder) used by containerd to decrypt encrypted container images. The vulnerability arises from an incorrect authorization check in the `CheckAuthorization` function. This function is designed to ensure that a user can only run encrypted container images if they are authorized and have the appropriate decryption keys, preventing unauthorized reuse of decrypted images by other users on the same system. The flaw specifically manifests when an image contains a ManifestList (a multi-architecture image manifest). Prior to version 1.1.4, the authorization check only evaluated the first architecture listed in the ManifestList. If the host's architecture was not the first in the list, the function would incorrectly assume that the image layers for the first architecture were unavailable locally and would allow the image to run without proper authorization. This behavior inadvertently permitted users to run images of other architectures without providing decryption keys, as long as those images had been previously decrypted by another user on the same system. This bypass of authorization checks could lead to unauthorized access to encrypted container images. The root cause is the incomplete verification of all architectures in the ManifestList, leading to an incorrect authorization verdict. The issue was fixed in imgcrypt version 1.1.4 by properly validating authorization across all architectures in the ManifestList. As a workaround, it is recommended to use separate namespaces for each remote user to isolate decrypted images and prevent unauthorized reuse. No known exploits are reported in the wild, but the vulnerability poses a risk in multi-user environments where encrypted container images are shared on the same host system. The vulnerability falls under CWE-863 (Incorrect Authorization), indicating a failure to enforce proper access control policies.
Potential Impact
For European organizations, especially those leveraging containerized environments with encrypted images, this vulnerability could lead to unauthorized access to sensitive container images. This unauthorized access could expose proprietary application code, sensitive configuration data, or intellectual property embedded within encrypted images. In multi-tenant or shared infrastructure environments common in European data centers and cloud providers, the risk is amplified as multiple users may share the same host system. Attackers or unauthorized users could run container images without possessing the required decryption keys, potentially leading to data leakage or unauthorized execution of privileged container workloads. The impact on confidentiality is significant due to potential exposure of encrypted image contents. Integrity could be indirectly affected if unauthorized users modify or replace container images after unauthorized access. Availability impact is limited but could arise if unauthorized execution leads to resource exhaustion or denial of service. Given the vulnerability requires local access and the presence of multi-architecture images, the scope is somewhat constrained but relevant in environments with diverse architectures and shared usage. European organizations in sectors such as finance, manufacturing, and critical infrastructure that rely on containerized deployments and encrypted images should consider this vulnerability seriously. Compliance with data protection regulations like GDPR may also be impacted if sensitive data is exposed due to this flaw.
Mitigation Recommendations
1. Upgrade imgcrypt to version 1.1.4 or later to apply the official patch that corrects the authorization logic. 2. Implement strict namespace isolation for container runtimes, ensuring that each user or tenant operates within separate namespaces to prevent unauthorized reuse of decrypted images. 3. Audit container image manifests for multi-architecture ManifestLists and consider limiting usage to single-architecture images where feasible to reduce attack surface. 4. Enforce strict access controls and monitoring on hosts running containerd and imgcrypt, including logging of image decryption and execution events. 5. Regularly review and update container runtime configurations to ensure that encryption keys and credentials are securely managed and not shared across users. 6. Conduct penetration testing and security assessments focusing on container image encryption and authorization mechanisms. 7. Educate DevOps and security teams about the risks associated with multi-architecture encrypted images and the importance of applying patches promptly. These measures go beyond generic advice by focusing on container runtime configuration, namespace isolation, and operational security practices tailored to the specific nature of this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-02-10T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9848c4522896dcbf6341
Added to database: 5/21/2025, 9:09:28 AM
Last enriched: 6/22/2025, 2:37:21 AM
Last updated: 8/12/2025, 12:51:37 AM
Views: 15
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.