CVE-2022-43441 – sqlite3

Package

Manager: npm
Name: sqlite3
Vulnerable Version: >=5.0.0 <5.1.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.06155 pctl0.90454

Details

sqlite vulnerable to code execution due to Object coercion ### Impact Due to the underlying implementation of `.ToString()`, it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object. Users of `sqlite3` v5.0.0 - v5.1.4 are affected by this. ### Patches Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later. ### Workarounds * Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters. ### References * Commit: https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781 ### For more information If you have any questions or comments about this advisory: * Email us at [security@ghost.org](mailto:security@ghost.org) Credits: Dave McDaniel of Cisco Talos

Metadata

Created: 2023-03-13T20:00:52Z
Modified: 2023-03-16T21:34:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-jqv5-7xpx-qj74/GHSA-jqv5-7xpx-qj74.json
CWE IDs: ["CWE-913", "CWE-915"]
Alternative ID: GHSA-jqv5-7xpx-qj74
Finding: F039
Auto approve: 1