CVE-2022-21227
published 2022-05-01CVE-2022-21227: The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an…
PriorityP336high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.96%
77.8th percentile
The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-sqlite3 | < node-sqlite3 5.0.6+ds1-1 (bookworm) | node-sqlite3 5.0.6+ds1-1 (bookworm) |
| ghost | sqlite3 | < 5.0.3 | 5.0.3 |
| ghost | sqlite3 | >= 5.0.0 < 5.0.3 | 5.0.3 |
| ghost | sqlite3 | >= unspecified < 5.0.3 | 5.0.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
sqlite3: Denial of Service (DoS) in sqlite3
vendor_redhat·2022-05-01·CVSS 7.5
CVE-2022-21227 [HIGH] CWE-1287 sqlite3: Denial of Service (DoS) in sqlite3
sqlite3: Denial of Service (DoS) in sqlite3
The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine.
A vulnerability was found in sqlite3. The flaw occurs due to a segmentation fault of an invalid toString() object. Users experience a fatal error when supplying a specific object in the parameter array due to this issue.
Package: sqlite (Red Hat Enterprise Linux 6) - Not affected
Package: sqlite (Red Hat Enterprise Linux 7) - Not affected
Package: sqlite (Red Hat Enterprise Linux 8) - Not affected
Package: sqlite (Red Hat Enterprise Linux 9) - Not affected
Debian
CVE-2022-21227: node-sqlite3 - The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which...
vendor_debian·2022·CVSS 7.5
CVE-2022-21227 [HIGH] CVE-2022-21227: node-sqlite3 - The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which...
The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine.
Scope: local
bookworm: resolved (fixed in 5.0.6+ds1-1)
bullseye: resolved (fixed in 5.0.0+ds1-1+deb11u1)
forky: resolved (fixed in 5.0.6+ds1-1)
sid: resolved (fixed in 5.0.6+ds1-1)
trixie: resolved (fixed in 5.0.6+ds1-1)
OSV
CVE-2022-21227: The package sqlite3 before 5
osv·2022-05-01·CVSS 7.5
CVE-2022-21227 [HIGH] CVE-2022-21227: The package sqlite3 before 5
The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine.
GHSA
Denial-of-Service when binding invalid parameters in sqlite3
ghsa·2022-04-28
CVE-2022-21227 [HIGH] CWE-248 Denial-of-Service when binding invalid parameters in sqlite3
Denial-of-Service when binding invalid parameters in sqlite3
Affected versions of sqlite3 will experience a fatal error when supplying a specific object in the parameter array. This error causes the application to crash and could not be caught. Users of `sqlite3` v5.0.0, v5.0.1 and v5.0.2 are affected by this. This issue is fixed in v5.0.3. All users are recommended to upgrade to v5.0.3 or later. Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters as a workaround.
OSV
Denial-of-Service when binding invalid parameters in sqlite3
osv·2022-04-28
CVE-2022-21227 [HIGH] Denial-of-Service when binding invalid parameters in sqlite3
Denial-of-Service when binding invalid parameters in sqlite3
Affected versions of sqlite3 will experience a fatal error when supplying a specific object in the parameter array. This error causes the application to crash and could not be caught. Users of `sqlite3` v5.0.0, v5.0.1 and v5.0.2 are affected by this. This issue is fixed in v5.0.3. All users are recommended to upgrade to v5.0.3 or later. Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters as a workaround.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4ahttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805470https://snyk.io/vuln/SNYK-JS-SQLITE3-2388645https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4ahttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805470https://snyk.io/vuln/SNYK-JS-SQLITE3-2388645
2022-05-01
Published