CVE-2022-2068
Severity
7.3HIGH
EPSS
18.6%
top 4.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 21
Latest updateOct 15
Description
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a …
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9
Affected Packages4 packages
▶CVEListV5openssl/opensslFixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze), Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o), Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3)+2
Also affects: Debian Linux 10.0, 11.0, Fedora 35, 36
Patches
🔴Vulnerability Details
4GHSA▶
GHSA-xjxr-x4h8-946x: In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly san↗2022-06-22
OSV▶
CVE-2022-2068: In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly san↗2022-06-21
📋Vendor Advisories
9Oracle▶
Oracle Oracle Communications Applications Risk Matrix: User Interface (OpenSSL) — CVE-2022-2068↗2022-10-15