CVE-2022-43441
published 2023-03-16CVE-2022-43441: A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can…
PriorityP352critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.36%
81.6th percentile
A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-sqlite3 | < node-sqlite3 5.1.5+ds1-1 (bookworm) | node-sqlite3 5.1.5+ds1-1 (bookworm) |
| ghost | sqlite3 | >= 5.0.0 < 5.1.5 | 5.1.5 |
| ghost | sqlite3 | >= 5.0.0 < 5.1.5 | 5.1.5 |
| ghost_foundation | node-sqlite3 | — | — |
| ghost_foundation | node-sqlite3 | >= 0 < 5.0.0+ds1-1+deb11u2 | 5.0.0+ds1-1+deb11u2 |
| ghost_foundation | node-sqlite3 | >= 0 < 5.1.5+ds1-1 | 5.1.5+ds1-1 |
| ghost_foundation | node-sqlite3 | >= 0 < 5.1.5+ds1-1 | 5.1.5+ds1-1 |
| ghost_foundation | node-sqlite3 | >= 0 < 5.1.5+ds1-1 | 5.1.5+ds1-1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-43441: A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5
osv·2023-03-16·CVSS 9.8
CVE-2022-43441 [CRITICAL] CVE-2022-43441: A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5
A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.
OSV
sqlite vulnerable to code execution due to Object coercion
osv·2023-03-13
CVE-2022-43441 [HIGH] sqlite vulnerable to code execution due to Object coercion
sqlite vulnerable to code execution due to Object coercion
### Impact
Due to the underlying implementation of `.ToString()`, it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object.
Users of `sqlite3` v5.0.0 - v5.1.4 are affected by this.
### Patches
Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later.
### Workarounds
* Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.
### References
* Commit: https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781
### For more information
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailt
GHSA
sqlite vulnerable to code execution due to Object coercion
ghsa·2023-03-13
CVE-2022-43441 [HIGH] CWE-913 sqlite vulnerable to code execution due to Object coercion
sqlite vulnerable to code execution due to Object coercion
### Impact
Due to the underlying implementation of `.ToString()`, it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object.
Users of `sqlite3` v5.0.0 - v5.1.4 are affected by this.
### Patches
Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later.
### Workarounds
* Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.
### References
* Commit: https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781
### For more information
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailt
Debian
CVE-2022-43441: node-sqlite3 - A code execution vulnerability exists in the Statement Bindings functionality of...
vendor_debian·2022·CVSS 8.1
CVE-2022-43441 [HIGH] CVE-2022-43441: node-sqlite3 - A code execution vulnerability exists in the Statement Bindings functionality of...
A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.
Scope: local
bookworm: resolved (fixed in 5.1.5+ds1-1)
bullseye: resolved (fixed in 5.0.0+ds1-1+deb11u2)
forky: resolved (fixed in 5.1.5+ds1-1)
sid: resolved (fixed in 5.1.5+ds1-1)
trixie: resolved (fixed in 5.1.5+ds1-1)
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: Node-SQLite3 issue could lead to denial of service in Ghost CMS
blogs_talos·2023-03-16·CVSS 8.1
[HIGH] Vulnerability Spotlight: Node-SQLite3 issue could lead to denial of service in Ghost CMS
Cisco Talos recently discovered a vulnerability in node-sqlite3 that affects the Ghost content management system and could affect other software utilizing this library.
Ghost is a content management system with tools to build a website, publish content and send newsletters.
The node-sqlite3 library provides asynchronous, non-blocking SQLite3 bindings for Node.js. Ghost maintains the node-sqlite3 library and uses it in its CMS platform.
Talos identified a remote code execution vulnerability if an attacker sends the target a specially crafted JSON object. TALOS-2022-1645 (CVE-2022-43441) exists in the node-sqlite3 module, which provides asynchronous, non-blocking SQLite3 bindings for Node.js and could affect applications using the module.
Due to JSON format limitations, the vulnerability
Talos
Vulnerability Spotlight: Node-SQLite3 issue could lead to denial of service in Ghost CMS
blogs_talos·2023-03-16·CVSS 8.1
[HIGH] Vulnerability Spotlight: Node-SQLite3 issue could lead to denial of service in Ghost CMS
## Vulnerability Spotlight: Node-SQLite3 issue could lead to denial of service in Ghost CMS
Cisco Talos recently discovered a vulnerability in node-sqlite3 that affects the Ghost content management system and could affect other software utilizing this library.
Ghost is a content management system with tools to build a website, publish content and send newsletters.
The node-sqlite3 library provides asynchronous, non-blocking SQLite3 bindings for Node.js. Ghost maintains the node-sqlite3 library and uses it in its CMS platform.
Talos identified a remote code execution vulnerability if an attacker sends the target a specially crafted JSON object. TALOS-2022-1645 (CVE-2022-43441) exists in the node-sqlite3 module, which provides asynchronous, non-blocking SQLite3 bindings for Node.js and c
https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-jqv5-7xpx-qj74https://talosintelligence.com/vulnerability_reports/TALOS-2022-1645https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-jqv5-7xpx-qj74https://talosintelligence.com/vulnerability_reports/TALOS-2022-1645https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1645
2023-03-16
Published