CVE-2022-1292

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).

Published: May 3, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-1292
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 10
AV:N/AC:L/Au:N/C:C/I:C/A:C

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
openssl / openssl	3.0.0	3.0.3
openssl / openssl	1.0.2	1.0.2ze
openssl / openssl	1.1.1	1.1.1o
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x
oracle / enterprise_manager_ops_center	12.4.0.0	12.4.0.0.x
oracle / mysql_server	8.0.0	8.0.29.x
oracle / mysql_workbench	-	8.0.29.x
oracle / mysql_server	5.0.0	5.7.38.x
fedoraproject / fedora	35	35.x
fedoraproject / fedora	36	36.x

Vulnerability Database

289,599

CVE-2022-1292