CVE-2022-35737Improper Validation of Array Index in Sqlite

CWE-129Improper Validation of Array Index17 documents10 sources
Severity
7.5HIGHNVD
EPSS
51.9%
top 2.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Ghost Sqlite3Splunk Universal ForwarderSqlite
Timeline
PublishedAug 3
Latest updateJan 9

Description

SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDsqlite/sqlite1.0.123.39.2
Debianghost/sqlite3< 3.39.2-1+2
NVDsplunk/universal_forwarder8.2.08.2.12+2

🔴Vulnerability Details

5
OSV
`libsqlite3-sys` via C SQLite improperly validates array index2022-08-04
GHSA
`libsqlite3-sys` via C SQLite improperly validates array index2022-08-04
OSV
`libsqlite3-sys` via C SQLite CVE-2022-357372022-08-03
OSV
CVE-2022-35737: SQLite 12022-08-03
CVEList
CVE-2022-35737: SQLite 12022-08-03

📋Vendor Advisories

9
Microsoft
MITRE: CVE-2022-35737 SQLite allows an array-bounds overflow2024-01-09
Oracle
Oracle Oracle Communications Risk Matrix: Policy (SQLite) — CVE-2022-357372023-04-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: IMAP (NSS) — CVE-2022-357372023-01-15
Ubuntu
SQLite vulnerability2022-11-21
Ubuntu
SQLite vulnerability2022-11-07

🕵️Threat Intelligence

2
Trailofbits
Stranger Strings: An exploitable flaw in SQLite2022-10-25
Trailofbits
Stranger Strings: An exploitable flaw in SQLite2022-10-25
CVE-2022-35737 — Improper Validation of Array Index | cvebase