CVE-2022-2068
Public on 2022-06-21
Modified on 2023-07-07
Description
A flaw was found in OpenSSL. The issue in CVE-2022-1292 did not find other places in the `c_rehash` script where it possibly passed the file names of certificates being hashed to a command executed through the shell. Some operating systems distribute this script in a manner where it is automatically executed. On these operating systems, this flaw allows an attacker to execute arbitrary commands with the privileges of the script.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | edk2 | 2024-03-13 | ALAS2-2024-2502 | Fixed |
| Amazon Linux 1 | openssl | 2022-07-28 | ALAS-2022-1626 | Fixed |
| Amazon Linux 2 - Core | openssl | 2022-07-28 | ALAS2-2022-1831 | Fixed |
| Amazon Linux 2023 | openssl | 2023-02-17 | ALAS2023-2023-051 | Fixed |
| Amazon Linux 2 - Openssl-snapsafe Extra | openssl-snapsafe | 2023-07-17 | ALAS2OPENSSL-SNAPSAFE-2023-001 | Fixed |
| Amazon Linux 2 - Core | openssl11 | 2022-07-28 | ALAS2-2022-1832 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| NVD | CVSSv2 | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| NVD | CVSSv3 | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |