A flaw was found in OpenSSL. The issue in CVE-2022-1292 did not find other places in the `c_rehash` script where it possibly passed the file names of certificates being hashed to a command executed through the shell. Some operating systems distribute this script in a manner where it is automatically executed. On these operating systems, this flaw allows an attacker to execute arbitrary commands with the privileges of the script.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | openssl | 2022-07-28 20:38 | ALAS-2022-1626 |
Amazon Linux 2 - Core | openssl | 2022-07-28 21:55 | ALAS2-2022-1831 |
Amazon Linux 2023 | openssl | 2023-02-17 20:45 | ALAS2023-2023-051 |
Amazon Linux 2 - Openssl-snapsafe Extra | openssl-snapsafe | 2023-07-17 19:27 | ALAS2OPENSSL-SNAPSAFE-2023-001 |
Amazon Linux 2 - Core | openssl11 | 2022-07-28 21:55 | ALAS2-2022-1832 |
Amazon Linux 2 - Core | edk2 | 2024-03-13 20:26 | ALAS2-2024-2502 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv3 | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
NVD | CVSSv2 | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
NVD | CVSSv3 | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |