CVE-2022-2068 - log back

CVE-2022-2068 edited at 21 Jun 2022 17:25:41
- Denial of service
+ Arbitrary command execution
CVE-2022-2068 created at 21 Jun 2022 17:25:13
+ Medium
+ Local
+ Denial of service
+ In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool.