GLSA-202210-40 : SQLite: Multiple Vulnerabilities
high Nessus Plugin ID 166739
Language:
Description
The remote host is affected by the vulnerability described in GLSA-202210-40 (SQLite: Multiple Vulnerabilities)- A flaw was found in SQLite's SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat from this vulnerability is to system availability. (CVE-2021-20227)
- SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API. (CVE-2022-35737)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
All SQLite users should upgrade to the latest version:# emerge --sync # emerge --ask --oneshot --verbose >=dev-db/sqlite-3.39.2
See Also
https://security.gentoo.org/glsa/202210-40
Plugin Details
Severity: High
ID: 166739
File Name: gentoo_GLSA-202210-40.nasl
Version: 1.3
Type: local
Family: Gentoo Local Security Checks
Published: 10/31/2022
Updated: 12/5/2022
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Low
Base Score: 2.1
Temporal Score: 1.6
Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P
Temporal Vector: E:U/RL:OF/RC:C
CVSS Score Source: CVE-2021-20227
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Temporal Vector: E:U/RL:O/RC:C
CVSS Score Source: CVE-2022-35737
Vulnerability Information
CPE: p-cpe:/a:gentoo:linux:sqlite, cpe:/o:gentoo:linux
Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list
Exploit Ease: No known exploits are available
Patch Publication Date: 10/31/2022
Vulnerability Publication Date: 3/23/2021
Reference Information
CVE: CVE-2021-20227, CVE-2022-35737
CEA-ID: CEA-2021-0025