OS Command Injection Affecting libopenssl1_0_0 package, versions <1.0.2p-150000.3.56.1


Severity

Recommended
0.0
medium
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
5.75% (94th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about OS Command Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-SLES151-LIBOPENSSL100-2945502
  • published8 Jul 2022
  • disclosed7 Jul 2022

Introduced: 7 Jul 2022

CVE-2022-1292  (opens in a new tab)
CWE-78  (opens in a new tab)

How to fix?

Upgrade SLES:15.1 libopenssl1_0_0 to version 1.0.2p-150000.3.56.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libopenssl1_0_0 package and not the libopenssl1_0_0 package as distributed by SLES. See How to fix? for SLES:15.1 relevant fixed versions and status.

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).

References

CVSS Scores

version 3.1