← voltar
CVE-2022-1292

The c_rehash script allows command injection

CVSS 9.8 CRITICALEPSS 83.6%CWE-78
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Produtos afetados
OpenSSL · OpenSSL
PoCs públicas encontradas5
githubgithub.com/alcaparra/CVE-2022-129228githubgithub.com/und3sc0n0c1d0/CVE-2022-12927githubgithub.com/greek0x0/CVE-2022-12926githubgithub.com/rama291041610/CVE-2022-12925githubgithub.com/li8u99/CVE-2022-12924
⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdfhttps://gitlab.com/fraf0/cve-2022-1292-re_score-analysishttps://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfebhttps://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23https://lists.debian.org/debian-lts-announce/2022/05/msg00019.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011https://security.gentoo.org/glsa/202210-02https://security.netapp.com/advisory/ntap-20220602-0009/https://security.netapp.com/advisory/ntap-20220729-0004/