Vulnerabilities > CVE-2022-46908 - Unspecified vulnerability in Sqlite

CVSS 7.3 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

LOW

local

low complexity

sqlite

NVD

Published: 2022-12-12

Updated: 2023-11-24

Summary

SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.

Vulnerable Configurations

Part	Description	Count
Application	Sqlite Sqlite Sqlite 3.37.0 Sqlite Sqlite 3.37.1 Sqlite Sqlite 3.37.2 Sqlite Sqlite 3.38.0 Sqlite Sqlite 3.38.1 Sqlite Sqlite 3.38.2 Sqlite Sqlite 3.38.3 Sqlite Sqlite 3.38.4 Sqlite Sqlite 3.38.5 Sqlite Sqlite 3.39.0 Sqlite Sqlite 3.39.1 Sqlite Sqlite 3.39.2 Sqlite Sqlite 3.39.3 Sqlite Sqlite 3.39.4 Sqlite Sqlite 3.40.0	15

References

https://sqlite.org/src/info/cefc032473ac5ad2
https://sqlite.org/forum/forumpost/07beac8056151b2f
https://news.ycombinator.com/item?id=33948588
https://security.netapp.com/advisory/ntap-20230203-0005/
https://security.gentoo.org/glsa/202311-03