CVE-2022-43441 — Improperly Controlled Modification of Dynamically-Determined Object Attributes in Sqlite3

CWE-915 — Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE-913 — Improper Control of Dynamically-Managed Code Resources8 documents6 sources

Severity

9.8CRITICALNVD

CNA8.1

EPSS

6.9%

top 8.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ghost Sqlite3 Ghost Foundation Node-sqlite3

Timeline

PublishedMar 16

Description

A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5ghost_foundation/node-sqlite35.1.1

▶NVDghost/sqlite35.0.0 — 5.1.5

▶npmghost/sqlite35.0.0 — 5.1.5

🔴Vulnerability Details

CVEList

CVE-2022-43441: A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5↗2023-03-16

▶

OSV

CVE-2022-43441: A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5↗2023-03-16

▶

OSV

sqlite vulnerable to code execution due to Object coercion↗2023-03-13

▶

GHSA

sqlite vulnerable to code execution due to Object coercion↗2023-03-13

▶

📋Vendor Advisories

Debian

CVE-2022-43441: node-sqlite3 - A code execution vulnerability exists in the Statement Bindings functionality of...↗2022

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Node-SQLite3 issue could lead to denial of service in Ghost CMS↗2023-03-16

▶

Talos

Vulnerability Spotlight: Node-SQLite3 issue could lead to denial of service in Ghost CMS↗2023-03-16

▶