CVE-2022-46908

Name
CVE-2022-46908
Description
SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://sqlite.org/src/info/cefc032473ac5ad2
MISC https://sqlite.org/forum/forumpost/07beac8056151b2f
MISC https://news.ycombinator.com/item?id=33948588
Third Party Advisory https://security.netapp.com/advisory/ntap-20230203-0005/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:* sqlite >= None <= 3.40.0
cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:* sqlite >= 3.37.0 < 3.40.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
sqlite 3.15-main 3.36.0-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
sqlite 3.14-main 3.35.5-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable