Impact of “CVE-2022-2068” on cpprest sdk

microsoft / cpprestsdk

The C++ REST SDK is a Microsoft project for cloud-based client-server communication in native code using a modern asynchronous C++ API design. This project aims to help C++ developers connect to and interact with services.

Other

7.91k stars 1.64k forks source link

Impact of “CVE-2022-2068” on cpprest sdk #1714

Open MohitRajShakya opened 1 year ago

MohitRajShakya commented 1 year ago

Hi,

OpenSSL has reported c_rehash scripts related vulnerability in "CVE-2022-2068" Reference: https://www.openssl.org/news/secadv/20220621.txt

May I request to please let us know if there is any impact of "CVE-2022-2068" on cpprest functionality?

Thank you and best regards, Mohit.

barcharcraz commented 1 year ago

cpprestsdk itself does not invoke the c_rehash script, it just loads up openssl. I am investigating if the vcpkg installation process runs that script, and if so I'll update the vcpkg submodule.

If you are using cpprestsdk from vcpkg, or using cpprestsdk but not the embedded vcpkg submodule this is a non-issue either way.

barcharcraz commented 1 year ago

That said, it appears to me that that vulnerability is fairly low severity, even when the script is automatically executed, because it processes the directory that contains the certificate store for the system. If you can write specially crafted certificates to that directory, you can probably find easier ways to execute code as root.

MohitRajShakya commented 1 year ago

Hi Charlie,

Thanks a lot for the feedback and suggestion. I understand that there is no impact on cpprest functionality as such.

Thank you and best regards, Mohit.