Array-Bounds Overflow in SQLite by SQLite Software Corporation
CVE-2022-35737

7.5HIGH

Key Information:

Vendor: Sqlite
Status: Sqlite
Vendor: CVE Published:; 3 August 2022

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 58%

What is CVE-2022-35737?

The vulnerability allows an array-bounds overflow condition to occur in SQLite versions between 1.0.12 and 3.39.1 when large strings are passed to certain C API functions. Specifically, using an excessively large amount of data can exploit this weakness, potentially leading to unexpected behavior, crashes, or unauthorized access. Users are advised to upgrade to version 3.39.2 or later to mitigate these risks effectively.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

codeql-cve-2022-35737
Created by rvermeulen

References

https://www.sqlite.org/cves.html

https://kb.cert.org/vuls/id/720344

https://sqlite.org/releaselog/3_39_2.html

EPSS Score

58% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Feb 21, 2023
👾
Exploit known to exist
Feb 21, 2023
Vulnerability published
Aug 3, 2022
Vulnerability Reserved
Jul 13, 2022

Sqlite

Badges

What is CVE-2022-35737?

Exploit Proof of Concept (PoC)

References

EPSS Score

CVSS V3.1

Timeline