CVE-2022-35737
HIGH7.5EPSS 54.8%`libsqlite3-sys` via C SQLite CVE-2022-35737
Published: 8/4/2022Modified: 12/6/2023
Description
It was sometimes possible for SQLite versions >= 1.0.12, < 3.39.2 to allow an array-bounds overflow when large string were input into SQLite's `printf` function. As `libsqlite3-sys` bundles SQLite, it is susceptible to the vulnerability. `libsqlite3-sys` was updated to bundle the patched version of SQLite [here](https://github.com/rusqlite/rusqlite/releases/tag/sys0.25.1).
Affected packages (5)
- Alpine/sqlitefrom 0, < 0
- Bitnami/sqlite>= 1.0.12, < 3.39.2
- crates.io/libsqlite3-sysfrom 0, < 0.25.1
- crates.io/libsqlite3-sys>= 0.0.0-0, < 0.25.1
- Debian/sqlite3from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (14)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-35737
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2022-35737
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-35737
- PATCHhttps://crates.io/crates/libsqlite3-sys
- PATCHhttps://github.com/rusqlite/rusqlite
- WEBhttps://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api
- WEBhttps://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/
- WEBhttps://kb.cert.org/vuls/id/720344
- WEBhttps://rustsec.org/advisories/RUSTSEC-2022-0090.html
- WEBhttps://security.gentoo.org/glsa/202210-40
- WEBhttps://security.netapp.com/advisory/ntap-20220915-0009
- WEBhttps://security.netapp.com/advisory/ntap-20220915-0009/
- WEBhttps://sqlite.org/releaselog/3_39_2.html
- WEBhttps://www.sqlite.org/cves.html