RUSTSEC-2022-0027: 
Rust vulnerability analysis and mitigation

The vulnerability RUSTSEC-2022-0027 is related to the OpenSSL crehash script command injection vulnerability (CVE-2022-1292). The issue was discovered in OpenSSL versions 1.0.2, 1.1.1, and 3.0, where the crehash script failed to properly sanitize shell metacharacters, potentially allowing command injection attacks. The vulnerability was reported on April 2nd, 2022, by Elison Niven of Sophos (OpenSSL Advisory).

The vulnerability stems from improper sanitization of shell metacharacters in the c_rehash script. This script, which is automatically executed on some operating systems, could be exploited to execute arbitrary commands with the script's privileges. The severity of this vulnerability is classified as Moderate. The affected versions include OpenSSL 1.0.2, 1.1.1, and 3.0 (OpenSSL Advisory).

On systems where the c_rehash script is configured for automatic execution, attackers could potentially execute arbitrary commands with the privileges of the script. This poses a significant security risk, particularly in environments where the script runs with elevated privileges (OpenSSL Advisory).

OpenSSL has released patches for all affected versions. Users of OpenSSL 1.0.2 should upgrade to 1.0.2ze (available only for premium support customers), OpenSSL 1.1.1 users should upgrade to 1.1.1o, and OpenSSL 3.0 users should upgrade to 3.0.3. Additionally, users are advised to replace the c_rehash script with the OpenSSL rehash command line tool (OpenSSL Advisory).