Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1qcXY1LTd4cHgtcWo3NM4AAyEw

High EPSS: 0.06155% (0.9052 Percentile) EPSS:
Permalink JSON

sqlite vulnerable to code execution due to Object coercion

Affected Packages Affected Versions Fixed Versions
npm:sqlite3
PURL: pkg:npm/sqlite3
>= 5.0.0, < 5.1.5 5.1.5
6,166 Dependent packages
146,342 Dependent repositories
3,995,188 Downloads last month

Affected Version Ranges

All affected versions

5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4

All unaffected versions

2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.1.19, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.6, 2.2.7, 3.0.0, 3.0.1, 3.0.2, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.1, 4.2.0, 5.1.5, 5.1.6, 5.1.7

Impact

Due to the underlying implementation of .ToString(), it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object.

Users of sqlite3 v5.0.0 - v5.1.4 are affected by this.

Patches

Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later.

Workarounds

  • Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.

References

For more information

If you have any questions or comments about this advisory:

Credits: Dave McDaniel of Cisco Talos

References:

Identifiers

GHSA-jqv5-7xpx-qj74

CVE-2022-43441

Risk

Severity

High

EPSS

EPSS Percentage: 0.06155

EPSS Percentile: 0.9052

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/TryGhost/node-sqlite3

Date and time

Published

over 2 years ago

Updated

over 2 years ago

API

JSON