Open MohitRajShakya opened 1 year ago
cpprestsdk itself does not invoke the c_rehash script, it just loads up openssl. I am investigating if the vcpkg installation process runs that script, and if so I'll update the vcpkg submodule.
If you are using cpprestsdk from vcpkg, or using cpprestsdk but not the embedded vcpkg submodule this is a non-issue either way.
That said, it appears to me that that vulnerability is fairly low severity, even when the script is automatically executed, because it processes the directory that contains the certificate store for the system. If you can write specially crafted certificates to that directory, you can probably find easier ways to execute code as root.
Hi Charlie,
Thanks a lot for the feedback and suggestion. I understand that there is no impact on cpprest functionality as such.
Thank you and best regards, Mohit.
Hi,
OpenSSL has reported c_rehash scripts related vulnerability in "CVE-2022-2068" Reference: https://www.openssl.org/news/secadv/20220621.txt
May I request to please let us know if there is any impact of "CVE-2022-2068" on cpprest functionality?
Thank you and best regards, Mohit.