vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine…

vcpkg, a free and open-source C/C++ package manager, contained a vulnerability in versions prior to 3.6.1#3 where Windows builds of OpenSSL set openssldir to a path on the build machine. This configuration made that path attackable later on customer machines. The issue affects the security of OpenSSL installations distributed through vcpkg on Windows systems. Microsoft has patched this vulnerability in version 3.6.1#3. The vulnerability represents a supply chain security issue where build-time configurations create security risks on end-user systems.