22 Years Old Vulnerability in SQLite Allows Arbitrary Code Execution

Home/Arbitrary Code Execution, Exploitation, Malware, Security Advisory, Security Update, Tips, vulnerability/22 Years Old Vulnerability in SQLite Allows Arbitrary Code Execution

22 Years Old Vulnerability in SQLite Allows Arbitrary Code Execution

The security expert Andreas Kellas detailed a high-severity vulnerability, tracked as CVE-2022-35737 (CVSS score: 7.5), in the SQLite database library, which was introduced in October 2000.

The CVE-2022-35737 flaw is an integer overflow issue that impacts SQLite versions 1.0.12 through 3.39.1. The vulnerability was addressed with the release of version 3.39.2 on July 21, 2022.

SQLite

SQLite’s description of the vulnerability, it can only come up when “very long string inputs (greater than 2 billion bytes in length) are provided as arguments to a few specific C-language interfaces

To exploit the vulnerability, an attacker must pass large strings as inputs to the SQLite implementations of the printf functions (sqlite3_str_vappendf) and include the format specifiers “%q,” “%Q,” or “%w” in the format string.

A signed integer overflow is triggered when the sqlite3_str_vappendf function receives a large string and when the format substitution type is %q, %Q, or %w.

However, SQLite database engine was developed in C and is widely used today.

Following operating systems and web browsers include it by default:-

OS:

  • Android
  • iOS
  • Windows
  • macOS

Web Browsers:

  • Google Chrome
  • Mozilla Firefox
  • Apple Safari

Security recommendation

SQLite release 3.39.2 was made available in late July to fix the issue.

There are no reported exploits in the wild related to this vulnerability. However, Trail of Bits published a proof-of-concept exploit codes (see GitHub) and public disclosure of the vulnerability. 

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!