CVE-2023-32697
published 2023-05-23CVE-2023-32697: SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.59%
72.6th percentile
SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | xerial-sqlite-jdbc | < xerial-sqlite-jdbc 3.40.1.0+dfsg-1+deb12u1 (bookworm) | xerial-sqlite-jdbc 3.40.1.0+dfsg-1+deb12u1 (bookworm) |
| sqlite_jdbc_project | sqlite_jdbc | >= 3.6.14.1 < 3.41.2.2 | 3.41.2.2 |
| xerial | sqlite-jdbc | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Remote code execution is triggered via a malicious JDBC URL — monitor and restrict JDBC URL inputs, especially those supplied by untrusted or remote users ↗
- →Vulnerable versions of sqlite-jdbc are 3.6.14.1 through 3.41.2.1; flag any deployment of these versions in Java environments as high-risk for RCE via attacker-controlled JDBC URLs ↗
- →Audit application code and configurations for any path where a JDBC URL is derived from user-controlled or network-supplied input — this is the direct attack vector for RCE ↗
- ·The vulnerability is only exploitable when the JDBC URL is attacker-controlled; deployments where the JDBC URL is fully hardcoded or not externally influenced are not affected, as confirmed by multiple Red Hat package assessments ↗
- ·Debian scoped this as 'local' severity, suggesting exploitability may depend on local access to influence the JDBC URL in some deployment configurations ↗
- ·Oracle rates this 8.8 CVSS over HTTP but marks remote exploit as 'No', indicating the HTTP protocol is the transport context but direct remote exploitation requires additional conditions ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian8.8HIGH
vendor_oracle8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: B2B Engine (SQLite) — CVE-2023-32697
vendor_oracle·2024-01-15·CVSS 8.8
CVE-2023-32697 [HIGH] Oracle Oracle Fusion Middleware Risk Matrix: B2B Engine (SQLite) — CVE-2023-32697
Oracle Oracle Fusion Middleware Risk Matrix: B2B Engine (SQLite) vulnerability
CVE: CVE-2023-32697
CVSS: 8.8
Protocol: HTTP
Remote exploit: No
Affected versions: Network
Advisory: cpujan2024 (JAN 2024)
Red Hat
sqlite-jdbc: Remote code execution when JDBC url is attacker controlled
vendor_redhat·2023-05-24·CVSS 8.8
CVE-2023-32697 [HIGH] CWE-94 sqlite-jdbc: Remote code execution when JDBC url is attacker controlled
sqlite-jdbc: Remote code execution when JDBC url is attacker controlled
SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2.
A flaw was found in SQLite-JDBC. A vulnerability found JDBC URL allowed a malicious user to cause Remote Code Execution (RCE).
Package: sqlite-jdbc (Red Hat Data Grid 8) - Not affected
Package: sqlite-jdbc (Red Hat Fuse 7) - Not affected
Package: opendaylight (Red Hat OpenStack Platform 13 (Queens)) - Out of support scope
Package: sqlite-jdbc (Red Hat Single Sign-On 7) - Not affected
Debian
CVE-2023-32697: xerial-sqlite-jdbc - SQLite JDBC is a library for accessing and creating SQLite database files in Jav...
vendor_debian·2023·CVSS 8.8
CVE-2023-32697 [HIGH] CVE-2023-32697: xerial-sqlite-jdbc - SQLite JDBC is a library for accessing and creating SQLite database files in Jav...
SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2.
Scope: local
bookworm: resolved (fixed in 3.40.1.0+dfsg-1+deb12u1)
forky: resolved (fixed in 3.42.0.0+dfsg-1)
sid: resolved (fixed in 3.42.0.0+dfsg-1)
trixie: resolved (fixed in 3.42.0.0+dfsg-1)
GHSA
Sqlite-jdbc vulnerable to remote code execution when JDBC url is attacker controlled
ghsa·2023-05-23
CVE-2023-32697 [HIGH] CWE-94 Sqlite-jdbc vulnerable to remote code execution when JDBC url is attacker controlled
Sqlite-jdbc vulnerable to remote code execution when JDBC url is attacker controlled
## Summary
Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL.
## Impacted versions :
3.6.14.1-3.41.2.1
## References
https://github.com/xerial/sqlite-jdbc/releases/tag/3.41.2.2
OSV
Sqlite-jdbc vulnerable to remote code execution when JDBC url is attacker controlled
osv·2023-05-23
CVE-2023-32697 [HIGH] Sqlite-jdbc vulnerable to remote code execution when JDBC url is attacker controlled
Sqlite-jdbc vulnerable to remote code execution when JDBC url is attacker controlled
## Summary
Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL.
## Impacted versions :
3.6.14.1-3.41.2.1
## References
https://github.com/xerial/sqlite-jdbc/releases/tag/3.41.2.2
OSV
CVE-2023-32697: SQLite JDBC is a library for accessing and creating SQLite database files in Java
osv·2023-05-23·CVSS 9.8
CVE-2023-32697 [CRITICAL] CVE-2023-32697: SQLite JDBC is a library for accessing and creating SQLite database files in Java
SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-05-23
Published