CVE-2022-35737

Name
CVE-2022-35737
Description
SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://kb.cert.org/vuls/id/720344
MISC https://www.sqlite.org/cves.html
Release Notes https://sqlite.org/releaselog/3_39_2.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20220915-0009/
Exploit https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/
Third Party Advisory https://security.gentoo.org/glsa/202210-40

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:* sqlite >= 1.0.12 < 3.39.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
sqlite 3.15-main 3.36.0-r0 Carlo Landmeter <clandmeter@alpinelinux.org> fixed
sqlite 3.14-main 3.35.5-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
sqlite 3.13-main 3.34.1-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable