CVE-2022-23220: 
NixOS vulnerability analysis and mitigation

USBView 2.1 before 2.2, a USB device viewer tool, contained a significant security vulnerability identified as CVE-2022-23220. The vulnerability was discovered in January 2022 and affected multiple Linux distributions including Ubuntu, Debian, and Gentoo. The issue stemmed from improper handling of authorization in the PolicyKit policy configuration, which allowed local users, particularly those logged in via SSH, to execute arbitrary code with root privileges (NVD, Debian Advisory).

The vulnerability was introduced in USBView 2.1 through a polkit policy file that contained problematic authentication settings (allow_any=yes). These settings effectively allowed users in inactive sessions or those logged in remotely via SSH to run usbview as root without providing any authentication. The vulnerability could be exploited using the --gtk-module command line parameter. The issue received a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (OSS Security, NVD).

The vulnerability allowed local users to escalate their privileges to root level, potentially gaining complete control over the affected system. This was particularly concerning as it could be exploited without requiring an active graphical session, making it accessible to users logged in remotely (OSS Security).

The vulnerability was fixed in USBView version 2.2 through multiple commits. The immediate fix involved correcting the policy file settings, and additional hardening of the polkit invocation was implemented. Furthermore, USBView version 3.0 was later released, which eliminated the need for root privileges entirely, providing a more comprehensive solution to the security concern (OSS Security, GitHub Commit).