cpprestsdk icon indicating copy to clipboard operation
cpprestsdk copied to clipboard
verified publisher icon microsoft

Impact of “CVE-2022-2068” on cpprest sdk

Open MohitRajShakya opened this issue 3 years ago • 3 comments

Hi,

OpenSSL has reported c_rehash scripts related vulnerability in "CVE-2022-2068" Reference: https://www.openssl.org/news/secadv/20220621.txt

May I request to please let us know if there is any impact of "CVE-2022-2068" on cpprest functionality?

Thank you and best regards, Mohit.

MohitRajShakya avatar Aug 01 '22 07:08 MohitRajShakya

cpprestsdk itself does not invoke the c_rehash script, it just loads up openssl. I am investigating if the vcpkg installation process runs that script, and if so I'll update the vcpkg submodule.

If you are using cpprestsdk from vcpkg, or using cpprestsdk but not the embedded vcpkg submodule this is a non-issue either way.

barcharcraz avatar Aug 03 '22 00:08 barcharcraz

That said, it appears to me that that vulnerability is fairly low severity, even when the script is automatically executed, because it processes the directory that contains the certificate store for the system. If you can write specially crafted certificates to that directory, you can probably find easier ways to execute code as root.

barcharcraz avatar Aug 03 '22 00:08 barcharcraz

Hi Charlie,

Thanks a lot for the feedback and suggestion. I understand that there is no impact on cpprest functionality as such.

Thank you and best regards, Mohit.

MohitRajShakya avatar Aug 08 '22 06:08 MohitRajShakya