RUSTSEC-2022-0025: 
Rust vulnerability analysis and mitigation

The vulnerability (RUSTSEC-2022-0025) is related to OpenSSL's crehash script, which was found to contain a command injection vulnerability (CVE-2022-1292). The issue was discovered by Elison Niven of Sophos and reported to OpenSSL on April 2nd, 2022. The vulnerability affects OpenSSL versions 1.0.2, 1.1.1, and 3.0, where the crehash script fails to properly sanitize shell metacharacters (OpenSSL Advisory).

The vulnerability is classified as Moderate severity and stems from improper sanitization of shell metacharacters in the c_rehash script. The script, which is automatically executed on some operating systems, lacks proper input validation mechanisms that could prevent command injection attacks. The technical nature of the vulnerability relates to shell command processing and metacharacter handling (OpenSSL Advisory).

On affected systems where the c_rehash script is configured for automatic execution, attackers could potentially execute arbitrary commands with the privileges of the script. This presents a significant security risk, particularly in environments where the script runs with elevated privileges (OpenSSL Advisory).

OpenSSL has released patches for all affected versions: Users of OpenSSL 1.0.2 should upgrade to 1.0.2ze (available only for premium support customers), OpenSSL 1.1.1 users should upgrade to 1.1.1o, and OpenSSL 3.0 users should upgrade to 3.0.3. Additionally, users are advised to replace the c_rehash script usage with the OpenSSL rehash command line tool (OpenSSL Advisory).