CVE-2022-21227 — Uncaught Exception in Sqlite3

CWE-248 — Uncaught Exception CWE-1287 — Improper Validation of Specified Type of Input7 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 43.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ghost Sqlite3

Timeline

PublishedMay 1

Description

The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5ghost/sqlite3unspecified — 5.0.3

▶NVDghost/sqlite3< 5.0.3

▶npmghost/sqlite35.0.0 — 5.0.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Denial of Service (DoS)↗2022-05-01

▶

OSV

CVE-2022-21227: The package sqlite3 before 5↗2022-05-01

▶

GHSA

Denial-of-Service when binding invalid parameters in sqlite3↗2022-04-28

▶

OSV

Denial-of-Service when binding invalid parameters in sqlite3↗2022-04-28

▶

📋Vendor Advisories

Red Hat

sqlite3: Denial of Service (DoS) in sqlite3↗2022-05-01

▶

Debian

CVE-2022-21227: node-sqlite3 - The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which...↗2022

▶