Improper Function Restriction in SQLite Up to 3.40.0
CVE-2022-46908

7.3HIGH

Key Information:

Vendor: Sqlite
Status: Sqlite
Vendor: CVE Published:; 12 December 2022

What is CVE-2022-46908?

SQLite versions up to 3.40.0 exhibit a flaw when executing untrusted command-line interface (CLI) scripts while using the --safe option. The azProhibitedFunctions protection mechanism is not correctly enforced, potentially allowing unrestricted user-defined functions (UDFs) to be executed, such as WRITEFILE. This oversight can lead to unintended interactions with the file system, posing a risk for data leakage or modification.

References

https://news.ycombinator.com/item?id=33948588

https://sqlite.org/forum/forumpost/07beac8056151b2f

https://sqlite.org/src/info/cefc032473ac5ad2

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2022
Vulnerability Reserved
Dec 12, 2022

Sqlite

What is CVE-2022-46908?

References

CVSS V3.1

Timeline