Vulnerability Details CVE-2022-46908
SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 26.7%
CVSS Severity
CVSS v3 Score 7.3
References
- https://news.ycombinator.com/item?id=33948588
- https://security.gentoo.org/glsa/202311-03
- https://security.netapp.com/advisory/ntap-20230203-0005/
- https://sqlite.org/forum/forumpost/07beac8056151b2f
- https://sqlite.org/src/info/cefc032473ac5ad2
- https://news.ycombinator.com/item?id=33948588
- https://security.gentoo.org/glsa/202311-03
- https://security.netapp.com/advisory/ntap-20230203-0005/
- https://sqlite.org/forum/forumpost/07beac8056151b2f
- https://sqlite.org/src/info/cefc032473ac5ad2
Products affected by CVE-2022-46908
-
cpe:2.3:a:sqlite:sqlite:3.37.0
-
cpe:2.3:a:sqlite:sqlite:3.37.1
-
cpe:2.3:a:sqlite:sqlite:3.37.2
-
cpe:2.3:a:sqlite:sqlite:3.38.0
-
cpe:2.3:a:sqlite:sqlite:3.38.1
-
cpe:2.3:a:sqlite:sqlite:3.38.2
-
cpe:2.3:a:sqlite:sqlite:3.38.3
-
cpe:2.3:a:sqlite:sqlite:3.38.4
-
cpe:2.3:a:sqlite:sqlite:3.38.5
-
cpe:2.3:a:sqlite:sqlite:3.39.0
-
cpe:2.3:a:sqlite:sqlite:3.39.1
-
cpe:2.3:a:sqlite:sqlite:3.39.2
-
cpe:2.3:a:sqlite:sqlite:3.39.3
-
cpe:2.3:a:sqlite:sqlite:3.39.4
-
cpe:2.3:a:sqlite:sqlite:3.40.0