CVE-2022-2068

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-2068
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-2068.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-2068
Downstream
Related
Published
2022-06-21T15:15:09.060Z
Modified
2026-03-15T22:43:41.095149Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In addition to the crehash shell command injection identified in CVE-2022-1292, further circumstances where the crehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).

References

Affected packages

Git / github.com/openssl/openssl

Affected ranges

Type
GIT
Repo
https://github.com/openssl/openssl
Events
Introduced
e818b74be2170fbe957a07b0da4401c2b694b3b8
Fixed
e818b74be2170fbe957a07b0da4401c2b694b3b8
Introduced
e04bd3433fd84e1861bf258ea37928d9845e6a86
Fixed
e04bd3433fd84e1861bf258ea37928d9845e6a86
Introduced
89cd17a031e022211684eb7eb41190cf1910f9fa
Fixed
54f5fca0d0b15f912e7355a378976cbff12d58fc
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
bf059c2efc4db5c09970fd3d2c392432b0ac6a12
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
bf059c2efc4db5c09970fd3d2c392432b0ac6a12
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
888759a1d38197f29de7227876c3b58fbff8549f
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
e818b74be2170fbe957a07b0da4401c2b694b3b8
Database specific 
{
    "versions": [
        {
            "introduced": "1.0.2"
        },
        {
            "fixed": "1.0.2zf"
        },
        {
            "introduced": "1.1.1"
        },
        {
            "fixed": "1.1.1p"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.4"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0-sp1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0-sp2"
        }
    ]
}

Affected versions

Other
OpenSSL_1_0_2u

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-2068.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "35"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "36"
            }
        ]
    }
]
vanir_signatures 
[
    {
        "signature_version": "v1",
        "target": {
            "file": "include/openssl/opensslv.h"
        },
        "source": "https://github.com/openssl/openssl/commit/e04bd3433fd84e1861bf258ea37928d9845e6a86",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "28170854778703993674264004058177114599",
                "73132526844288570625317440636111911761",
                "177405411499435185068645597737938634778",
                "224809958623850711330610094965797758930",
                "295554444428855106393106961197201359586"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-2068-c377fa22",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "target": {
            "file": "crypto/opensslv.h"
        },
        "source": "https://github.com/openssl/openssl/commit/e818b74be2170fbe957a07b0da4401c2b694b3b8",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "251633914150035957322733061977107206211",
                "338514574181828579838011565939158652696",
                "76638288692106140328510055542557597351",
                "142922657400765574308962710386922248045",
                "71649992455794854055653842592139575350",
                "65527166711110472566013424527579064967",
                "253196866009476977787139000804413898733",
                "172177136897997206866313011107384691461"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-2068-e051451f",
        "signature_type": "Line"
    }
]