CVE-2022-2068

Public on 2022-06-21

Modified on 2023-07-07

Description

A flaw was found in OpenSSL. The issue in CVE-2022-1292 did not find other places in the `c_rehash` script where it possibly passed the file names of certificates being hashed to a command executed through the shell. Some operating systems distribute this script in a manner where it is automatically executed. On these operating systems, this flaw allows an attacker to execute arbitrary commands with the privileges of the script.

Severity

Medium

See what this means

CVSS v3 Base Score

6.7

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 1	openssl	2022-07-28 20:38	ALAS-2022-1626
Amazon Linux 2 - Core	openssl	2022-07-28 21:55	ALAS2-2022-1831
Amazon Linux 2023	openssl	2023-02-17 20:45	ALAS2023-2023-051
Amazon Linux 2 - Openssl-snapsafe Extra	openssl-snapsafe	2023-07-17 19:27	ALAS2OPENSSL-SNAPSAFE-2023-001
Amazon Linux 2 - Core	openssl11	2022-07-28 21:55	ALAS2-2022-1832
Amazon Linux 2 - Core	edk2	2024-03-13 20:26	ALAS2-2024-2502

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	6.7	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
NVD	CVSSv2	10.0	AV:N/AC:L/Au:N/C:C/I:C/A:C
NVD	CVSSv3	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2022-2068 Mitre: CVE-2022-2068 FAQs regarding Amazon Linux ALAS/CVE Severity