CVE-2022-2068

HIGHScheduled

Published:Jun 21, 2022(3 years ago)

Modified:Nov 3, 2025

Local AccessLow Complexity

Vulnerability Description

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).

Attack Characteristics

Local AccessLow ComplexityLow PrivilegesUser Interaction Required

🤖

AI analysis not yet available

Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.

No Fix Known

No patch has been released yet. Apply workarounds or mitigations where available.

Affected Software

Vendor	Product	Versions	Fixed In
openssl	openssl	1.0.2 - 1.0.2zf	-
openssl	openssl	1.1.1 - 1.1.1p

Timeline

Published
CVE disclosed publicly
Jun 21, 20223 years ago
Last Modified
Most recent update
Nov 3, 20256 months ago
Indexed to CVEInsight
Added to this platform
Mar 29, 20261 month ago

References

https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfThird Party Advisory
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c3...Patch
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c0...Patch

CVSS Score

v3.1

7.3/ 10.0

HIGH

AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

At a Glance

Affected Products

References

openssl / openssl

https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=96398...Patch

https://lists.fedoraproject.org/archives/list/package-announce%40lists...Mailing List

https://security.netapp.com/advisory/ntap-20220707-0008/Third Party Advisory

https://www.debian.org/security/2022/dsa-5169Third Party Advisory

https://www.openssl.org/news/secadv/20220621.txtVendor Advisory

http://seclists.org/fulldisclosure/2024/Nov/0

https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfThird Party Advisory

https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c3...Patch

https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c0...Patch

https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=96398...Patch

https://gitlab.com/fraf0/cve-2022-1292-re_score-analysis

https://lists.fedoraproject.org/archives/list/package-announce%40lists...Mailing List

https://security.netapp.com/advisory/ntap-20220707-0008/Third Party Advisory

https://www.debian.org/security/2022/dsa-5169Third Party Advisory

https://www.openssl.org/news/secadv/20220621.txtVendor Advisory

CVSS v3 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Exploitability

Attack VectorLocal

Attack ComplexityLow

Privileges RequiredLow

User InteractionRequired

Impact

ScopeUnchanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

Impact Analysis

ConfidentialityHigh

NoneLowHigh

IntegrityHigh

NoneLowHigh

AvailabilityHigh

NoneLowHigh

CVE-2022-2068

✦ Vulnerability Description

Attack Characteristics

Affected Software

Timeline

References

CVSS Score

At a Glance

Official Sources

CVSS v3 Vector

Impact Analysis

Vulnerability Description