CVE-2022-1292: 
MySQL vulnerability analysis and mitigation

CVE-2022-1292 is a command injection vulnerability in OpenSSL's c_rehash script discovered in May 2022. The script fails to properly sanitize shell metacharacters, allowing potential command injection. This vulnerability affects OpenSSL versions 1.0.2 (before 1.0.2ze), 1.1.1 (before 1.1.1o), and 3.0 (before 3.0.3). The script is distributed by some operating systems in a manner where it is automatically executed (OpenSSL Advisory).

The vulnerability exists in the c_rehash script which is used to create symbolic links to certificate files. The script fails to properly sanitize shell metacharacters in certificate filenames, enabling command injection. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), indicating high severity with network attack vector, low attack complexity, and no required privileges or user interaction (NVD).

On systems where the c_rehash script is automatically executed, an attacker could execute arbitrary commands with the privileges of the script. This could lead to unauthorized system access, data manipulation, or service disruption. The vulnerability is particularly concerning for operating systems that automatically execute the script as part of their certificate management processes (MITRE CVE).

The vulnerability has been fixed in OpenSSL versions 1.0.2ze, 1.1.1o, and 3.0.3. Users should upgrade to these or later versions. As a workaround, users should replace the use of c_rehash script with the OpenSSL rehash command line tool. System administrators should also review and restrict access to certificate directories (Red Hat Advisory).