CVE-2022-46908
published 2022-12-12CVE-2022-46908: SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection…
high7.3CVSS 3.1
AVLACLPRLUINSUCHIHAL
SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | sqlite3 | < sqlite3 3.40.0-2 (bookworm) | sqlite3 3.40.0-2 (bookworm) |
| ghost | sqlite3 | >= 0 < 3.40.0-2 | 3.40.0-2 |
| ghost | sqlite3 | >= 0 < 3.40.0-2 | 3.40.0-2 |
| ghost | sqlite3 | >= 0 < 3.40.0-2 | 3.40.0-2 |
| ghost | sqlite3 | >= 0 < 3.31.1-4ubuntu0.6 | 3.31.1-4ubuntu0.6 |
| ghost | sqlite3 | >= 0 < 3.37.2-2ubuntu0.3 | 3.37.2-2ubuntu0.3 |
| msrc | cbl2_sqlite_3.39.2-2_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_sqlite_3.34.1-2_on_cbl_mariner_1.0 | — | — |
| sqlite | sqlite | >= 3.37.0 < 3.40.1 | 3.40.1 |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
osv7.3HIGH