{"containers": {"cna": {"affected": [{"product": "imgcrypt", "vendor": "containerd", "versions": [{"status": "affected", "version": "< 1.1.4"}]}], "descriptions": [{"lang": "en", "value": "The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-07T06:06:23.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/containerd/imgcrypt/issues/69"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/containerd/imgcrypt/releases/tag/v1.1.4"}, {"name": "FEDORA-2022-5f746c8e5b", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZFTJR5CR5EOYDVOSBZEMLBHLJRTPJPUA/"}, {"name": "FEDORA-2022-de0f8beeb0", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAHAAOOA3KZJC2I5WHCR3XVBJBNWTWUE/"}, {"name": "FEDORA-2022-d86c15bfb7", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4SJUNSC7YZLA745EMKWK2GKEV57GE52K/"}], "source": {"advisory": "GHSA-8v99-48m9-c8pm", "discovery": "UNKNOWN"}, "title": "Incorrect Authorization in imgcrypt", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24778", "STATE": "PUBLIC", "TITLE": "Incorrect Authorization in imgcrypt"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "imgcrypt", "version": {"version_data": [{"version_value": "< 1.1.4"}]}}]}, "vendor_name": "containerd"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863: Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm", "refsource": "CONFIRM", "url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm"}, {"name": "https://github.com/containerd/imgcrypt/issues/69", "refsource": "MISC", "url": "https://github.com/containerd/imgcrypt/issues/69"}, {"name": "https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9", "refsource": "MISC", "url": "https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9"}, {"name": "https://github.com/containerd/imgcrypt/releases/tag/v1.1.4", "refsource": "MISC", "url": "https://github.com/containerd/imgcrypt/releases/tag/v1.1.4"}, {"name": "FEDORA-2022-5f746c8e5b", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFTJR5CR5EOYDVOSBZEMLBHLJRTPJPUA/"}, {"name": "FEDORA-2022-de0f8beeb0", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAHAAOOA3KZJC2I5WHCR3XVBJBNWTWUE/"}, {"name": "FEDORA-2022-d86c15bfb7", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SJUNSC7YZLA745EMKWK2GKEV57GE52K/"}]}, "source": {"advisory": "GHSA-8v99-48m9-c8pm", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:50.461Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/containerd/imgcrypt/issues/69"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/containerd/imgcrypt/releases/tag/v1.1.4"}, {"name": "FEDORA-2022-5f746c8e5b", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZFTJR5CR5EOYDVOSBZEMLBHLJRTPJPUA/"}, {"name": "FEDORA-2022-de0f8beeb0", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAHAAOOA3KZJC2I5WHCR3XVBJBNWTWUE/"}, {"name": "FEDORA-2022-d86c15bfb7", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4SJUNSC7YZLA745EMKWK2GKEV57GE52K/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-22T15:41:46.185380Z", "id": "CVE-2022-24778", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T18:17:56.011Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24778", "datePublished": "2022-03-25T17:20:11.000Z", "dateReserved": "2022-02-10T00:00:00.000Z", "dateUpdated": "2025-04-22T18:17:56.011Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"containers": {"cna": {"affected": [{"product": "imgcrypt", "vendor": "containerd", "versions": [{"status": "affected", "version": "< 1.1.4"}]}], "descriptions": [{"lang": "en", "value": "The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-07T06:06:23.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/containerd/imgcrypt/issues/69"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/containerd/imgcrypt/releases/tag/v1.1.4"}, {"name": "FEDORA-2022-5f746c8e5b", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZFTJR5CR5EOYDVOSBZEMLBHLJRTPJPUA/"}, {"name": "FEDORA-2022-de0f8beeb0", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAHAAOOA3KZJC2I5WHCR3XVBJBNWTWUE/"}, {"name": "FEDORA-2022-d86c15bfb7", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4SJUNSC7YZLA745EMKWK2GKEV57GE52K/"}], "source": {"advisory": "GHSA-8v99-48m9-c8pm", "discovery": "UNKNOWN"}, "title": "Incorrect Authorization in imgcrypt", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24778", "STATE": "PUBLIC", "TITLE": "Incorrect Authorization in imgcrypt"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "imgcrypt", "version": {"version_data": [{"version_value": "< 1.1.4"}]}}]}, "vendor_name": "containerd"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863: Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm", "refsource": "CONFIRM", "url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm"}, {"name": "https://github.com/containerd/imgcrypt/issues/69", "refsource": "MISC", "url": "https://github.com/containerd/imgcrypt/issues/69"}, {"name": "https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9", "refsource": "MISC", "url": "https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9"}, {"name": "https://github.com/containerd/imgcrypt/releases/tag/v1.1.4", "refsource": "MISC", "url": "https://github.com/containerd/imgcrypt/releases/tag/v1.1.4"}, {"name": "FEDORA-2022-5f746c8e5b", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFTJR5CR5EOYDVOSBZEMLBHLJRTPJPUA/"}, {"name": "FEDORA-2022-de0f8beeb0", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAHAAOOA3KZJC2I5WHCR3XVBJBNWTWUE/"}, {"name": "FEDORA-2022-d86c15bfb7", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SJUNSC7YZLA745EMKWK2GKEV57GE52K/"}]}, "source": {"advisory": "GHSA-8v99-48m9-c8pm", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:50.461Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/containerd/imgcrypt/issues/69"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/containerd/imgcrypt/releases/tag/v1.1.4"}, {"name": "FEDORA-2022-5f746c8e5b", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZFTJR5CR5EOYDVOSBZEMLBHLJRTPJPUA/"}, {"name": "FEDORA-2022-de0f8beeb0", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAHAAOOA3KZJC2I5WHCR3XVBJBNWTWUE/"}, {"name": "FEDORA-2022-d86c15bfb7", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4SJUNSC7YZLA745EMKWK2GKEV57GE52K/"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-24778", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-22T15:41:46.185380Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T15:41:48.897Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24778", "datePublished": "2022-03-25T17:20:11.000Z", "dateReserved": "2022-02-10T00:00:00.000Z", "dateUpdated": "2025-04-22T18:17:56.011Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:imgcrypt:*:*:*:*:*:*:*:*", "matchCriteriaId": "E47F333A-A481-488E-817D-59C3C7691D66", "versionEndExcluding": "1.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user."}, {"lang": "es", "value": "La biblioteca imgcrypt proporciona extensiones de la API para que containerd admita im\u00e1genes de contenedor cifradas e implementa la herramienta de l\u00ednea de comandos ctd-decoder para que containerd la use para descifrar im\u00e1genes de contenedor cifradas. La funci\u00f3n imgcrypt \"CheckAuthorization\" es supuesto que comprueba si el usuario actual est\u00e1 autorizado a acceder a una imagen encriptada y evita que el usuario ejecute una imagen que otro usuario haya desencriptado previamente en el mismo sistema. En versiones anteriores a 1.1.4, es producido un fallo cuando es usada una imagen con una ManifestList y la arquitectura del host local no es la primera de la ManifestList. S\u00f3lo es comprobada la primera arquitectura de la lista, que pod\u00eda no presentar sus capas disponibles localmente al no poder ejecutarse en la arquitectura del host. Por lo tanto, el veredicto sobre las capas no disponibles fue que la imagen pod\u00eda ser ejecutada anticipando que el fallo de ejecuci\u00f3n de la imagen ocurrir\u00eda m\u00e1s tarde debido a que las capas no estaban disponibles. Sin embargo, este veredicto de permitir la ejecuci\u00f3n de la imagen permit\u00eda a otras arquitecturas de la ManifestList ejecutar una imagen sin proporcionar claves si esa imagen hab\u00eda sido descifrada previamente. Ha sido aplicado un parche a imgcrypt versi\u00f3n 1.1.4. Las mitigaciones pueden incluir el uso de diferentes espacios de nombres para cada usuario remoto"}], "id": "CVE-2022-24778", "lastModified": "2024-11-21T06:51:04.737", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-25T18:15:22.830", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/containerd/imgcrypt/issues/69"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/containerd/imgcrypt/releases/tag/v1.1.4"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4SJUNSC7YZLA745EMKWK2GKEV57GE52K/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAHAAOOA3KZJC2I5WHCR3XVBJBNWTWUE/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZFTJR5CR5EOYDVOSBZEMLBHLJRTPJPUA/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/containerd/imgcrypt/issues/69"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/containerd/imgcrypt/releases/tag/v1.1.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4SJUNSC7YZLA745EMKWK2GKEV57GE52K/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAHAAOOA3KZJC2I5WHCR3XVBJBNWTWUE/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZFTJR5CR5EOYDVOSBZEMLBHLJRTPJPUA/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "acm-grafana-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "acm-must-gather-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "acm-operator-bundle-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "application-ui-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "assisted-image-service-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cert-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cluster-backup-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "clusterclaims-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cluster-curator-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "clusterlifecycle-state-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cluster-proxy-addon-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "config-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "console-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "console-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "discovery-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "endpoint-monitoring-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-propagator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-spec-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-status-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-template-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "grafana-dashboard-loader-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "grc-ui-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "grc-ui-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "iam-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "insights-client-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "insights-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "klusterlet-addon-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "klusterlet-addon-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "kube-rbac-proxy-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "kube-state-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "managedcluster-import-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "management-ingress-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "memcached-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "memcached-exporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "metrics-collector-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicloud-integrations-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicloud-manager-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multiclusterhub-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multiclusterhub-repo-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-observability-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-application-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-channel-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-deployable-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-placementrule-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-subscription-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-subscription-release-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "node-exporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "observatorium-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "observatorium-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "openshift-hive-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "placement-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "prometheus-alertmanager-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "prometheus-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "provider-credential-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rbac-query-proxy-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "redisgraph-tls-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "registration-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "registration-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-agent-service-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-assisted-installer-agent-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-assisted-installer-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-assisted-installer-reporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-aggregator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-collector-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-ui-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "submariner-addon-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "thanos-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "thanos-receive-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-mover-rclone-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-mover-restic-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-mover-rsync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:1476", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "work-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-04-21T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "acm-cluster-proxy-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "acm-governance-policy-addon-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "acm-grafana-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "acm-must-gather-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "acm-operator-bundle-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "acm-prometheus-config-reloader-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "acm-prometheus-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "acm-volsync-addon-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "cert-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "cluster-backup-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "cluster-proxy-addon-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "config-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "console-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "endpoint-monitoring-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "governance-policy-propagator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "governance-policy-spec-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "governance-policy-status-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "governance-policy-template-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "grafana-dashboard-loader-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "iam-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "insights-client-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "insights-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "klusterlet-addon-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "klusterlet-addon-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "kube-rbac-proxy-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "kube-state-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "management-ingress-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "memcached-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "memcached-exporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "metrics-collector-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "multicloud-integrations-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "multiclusterhub-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "multiclusterhub-repo-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "multicluster-observability-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "multicluster-operators-application-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "multicluster-operators-channel-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "multicluster-operators-subscription-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "node-exporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "observatorium-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "observatorium-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "prometheus-alertmanager-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "prometheus-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "rbac-query-proxy-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "redisgraph-tls-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "search-aggregator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "search-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "search-collector-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "search-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "submariner-addon-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "thanos-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:4956", "cpe": "cpe:/a:redhat:acm:2.5::el8", "package": "thanos-receive-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2022-06-09T00:00:00Z"}, {"advisory": "RHSA-2022:5070", "cpe": "cpe:/a:redhat:openshift:4.11::el8", "impact": "low", "package": "openshift4/kubernetes-nmstate-rhel8-operator:v4.11.0-202208020235.p0.ga6744d1.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.11", "release_date": "2022-08-10T00:00:00Z"}, {"advisory": "RHSA-2022:8827", "cpe": "cpe:/a:redhat:advanced_cluster_security:3.73::el8", "impact": "low", "package": "advanced-cluster-security/rhacs-main-rhel8:3.73.0-4", "product_name": "RHACS-3.73-RHEL-8", "release_date": "2022-12-06T00:00:00Z"}], "bugzilla": {"description": "imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path", "id": "2069368", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2069368"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-287->CWE-303", "details": ["The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user.", "A flaw was found in the imgcrypt library when checking the keys of an authorized user to access an encrypted image on systems where layers are not available and cannot run on the host architecture. This flaw allows an attacker to run an image without providing the previously decrypted keys."], "name": "CVE-2022-24778", "package_state": [{"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Not affected", "impact": "low", "package_name": "oadp/oadp-velero-plugin-rhel8", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "rhacm2/endpoint-monitoring-rhel8-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "impact": "low", "package_name": "rhacm2/multiclusterhub-repo-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "rhacm2/multicluster-operators-channel-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "rhacm2/multicluster-operators-subscription-release-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "rhacm2/multicluster-operators-subscription-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "impact": "low", "package_name": "rhacm2/prometheus-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "impact": "low", "package_name": "rhacm2/rbac-query-proxy-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Affected", "impact": "low", "package_name": "advanced-cluster-security/rhacs-scanner-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/oc-mirror-plugin-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/ose-cluster-monitoring-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/ose-container-networking-plugins-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "impact": "low", "package_name": "openshift4/ose-docker-builder", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "impact": "low", "package_name": "openshift4/ose-hypershift-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "impact": "low", "package_name": "openshift4/ose-machine-api-provider-openstack-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "impact": "low", "package_name": "openshift4/ose-openshift-proxy-pull-test-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/ose-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/ose-prometheus-rhel9-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/ose-prom-label-proxy", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/ose-thanos-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/ose-tools-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "impact": "low", "package_name": "openshift4/ose-vsphere-cloud-controller-manager-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "impact": "low", "package_name": "openshift4/special-resource-rhel8-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_sandboxed_containers:1", "fix_state": "Out of support scope", "impact": "low", "package_name": "openshift-sandboxed-containers/osc-rhel8-operator", "product_name": "Red Hat Openshift Sandboxed Containers"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "impact": "low", "package_name": "rhosp-rhel8-tech-preview/osp-director-operator", "product_name": "Red Hat OpenStack Platform 16.2"}], "public_date": "2022-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-24778\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-24778\nhttps://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm"], "statement": "Only Fedora is using the affected codebase. Hence, marking other products as of Low impact as they are using an affected version of 'imgcrypt' as a transitive dependency.", "threat_severity": "Important"}