CVE-2022-24778: 
NixOS vulnerability analysis and mitigation

CVE-2022-24778 affects the imgcrypt library, which provides API extensions for containerd to support encrypted container images. The vulnerability was discovered in March 2022 and affects versions prior to 1.1.4. The issue lies in the CheckAuthorization function, which is designed to verify whether a user is authorized to access an encrypted image and prevent users from running images previously decrypted by others on the same system (GitHub Advisory).

The vulnerability occurs when handling images with a ManifestList where the local host's architecture is not the first one in the list. The CheckAuthorization function only tested the first architecture in the list, which may not have its layers available locally since it couldn't be run on the host architecture. This implementation flaw led to an incorrect authorization verdict, allowing the image to run even when the layers weren't available. The vulnerability has a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could allow unauthorized users to access encrypted container images on shared systems without providing the necessary decryption keys, effectively bypassing the authorization checks. This was possible if the image had been previously decrypted by another user on the same system (GitHub Advisory).

The vulnerability was patched in imgcrypt version 1.1.4, which now properly handles architecture-specific manifest checks. For systems unable to update immediately, a workaround involves using different namespaces for each remote user. The fix includes modifications to skip over irrelevant architectures and test only the manifest of the local architecture (GitHub Release).