Unknown
CVE-2022-2068
CVE-2022-2068
Description
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).
Add Assessment
No one has assessed this topic. Be the first to add your voice to the community.
CVSS V3 Severity and Metrics
General Information
Vendors
- broadcom,
- debian,
- fedoraproject,
- netapp,
- openssl,
- siemens
Products
- aff 8300 firmware -,
- aff 8700 firmware -,
- aff a400 firmware -,
- bootstrap os -,
- debian linux 10.0,
- debian linux 11.0,
- element software -,
- fas 8300 firmware -,
- fas 8700 firmware -,
- fas a400 firmware -,
- fedora 35,
- fedora 36,
- h300s firmware -,
- h410c firmware -,
- h410s firmware -,
- h500s firmware -,
- h610c firmware -,
- h610s firmware -,
- h615c firmware -,
- h700s firmware -,
- hci management node -,
- ontap antivirus connector -,
- ontap select deploy administration utility -,
- openssl,
- sannav -,
- santricity smi-s provider -,
- sinec ins,
- sinec ins 1.0,
- smi-s provider -,
- snapmanager -,
- solidfire -
References
Advisory
