CVE-2022-46908 — SQL Injection in Sqlite

CWE-89 — SQL Injection11 documents9 sources

Severity

7.3HIGHNVD

EPSS

0.1%

top 66.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ghost Sqlite3 Sqlite

Timeline

PublishedDec 12

Latest updateJan 15

Description

SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:LExploitability: 1.8 | Impact: 5.5

Affected Packages3 packages

▶NVDsqlite/sqlite3.37.0 — 3.40.1

▶Debianghost/sqlite3< 3.40.0-2+2

▶Ubuntughost/sqlite3< 3.31.1-4ubuntu0.6+1

Patches

Patch: sqlite.org ↗Patch: sqlite.org ↗

🔴Vulnerability Details

OSV

sqlite3 vulnerabilities↗2024-01-03

▶

CVEList

CVE-2022-46908: SQLite through 3↗2022-12-12

▶

GHSA

GHSA-993x-6558-2xmj: SQLite through 3↗2022-12-12

▶

OSV

CVE-2022-46908: SQLite through 3↗2022-12-12

▶

📋Vendor Advisories

Oracle

Oracle Oracle MySQL Risk Matrix: MySQL Workbench (SQLite) — CVE-2022-46908↗2024-01-15

▶

Ubuntu

SQLite vulnerabilities↗2024-01-03

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Common fns (SQLite) — CVE-2022-46908↗2023-04-15

▶

Microsoft

SQLite through 3.40.0 when relying on --safe for execution of an untrusted CLI script does not properly implement the azProhibitedFunctions protection mechanism and instead allows UDF functions such a↗2022-12-13

▶

Red Hat

sqlite: safe mode authorizer callback allows disallowed UDFs↗2022-12-12

▶