9.8
CVSSv3

CVE-2022-1292

Published: 03/05/2022 Updated: 29/06/2022
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

openssl openssl

Vendor Advisories

Elison Niven discovered that the c_rehash script included in OpenSSL did not sanitise shell meta characters which could result in the execution of arbitrary commands For the oldstable distribution (buster), this problem has been fixed in version 111n-0+deb10u2 For the stable distribution (bullseye), this problem has been fixed in version 111n ...
Several security issues were fixed in OpenSSL ...
Several security issues were fixed in OpenSSL ...
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection This script is distributed by some operating systems in a manner where it is automatically executed On such operating systems, an attacker could execute arbitrary commands with the privileges of the script Use of the c_rehash script is considered obs ...
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection This script is distributed by some operating systems in a manner where it is automatically executed On such operating systems, an attacker could execute arbitrary commands with the privileges of the script Use of the c_rehash script is considered obs ...
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection This script is distributed by some operating systems in a manner where it is automatically executed On such operating systems, an attacker could execute arbitrary commands with the rivileges of the script Use of the c_rehash script is considered ob ...

Github Repositories

CVE-2022-1292 bash chacksh

CVE-2022-1292 Description The c_rehash script does not properly sanitise shell metacharacters to prevent command injection This script is distributed by some operating systems in a manner where it is automatically executed On such operating systems, an attacker could execute arbitrary commands with the privileges of the script Use of the c_rehash script is considered obsolet

CVE-2022-1292 CVE-2022-1292 c_rehash POC

Recent Articles

OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw
The Register • Thomas Claburn in San Francisco • 01 Jan 1970

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Though severity up for debate, and limited chips affected, broken tests hold back previous patch from distribution

The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).
OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).
But this release itself needs further fixing. OpenSSL 3.0...