The security expert Andreas Kellas detailed a high-severity vulnerability, tracked as CVE-2022-35737 (CVSS score: 7.5), in the SQLite database library, which was introduced in October 2000.
The CVE-2022-35737 flaw is an integer overflow issue that impacts SQLite versions 1.0.12 through 3.39.1. The vulnerability was addressed with the release of version 3.39.2 on July 21, 2022.
SQLite’s description of the vulnerability, it can only come up when “very long string inputs (greater than 2 billion bytes in length) are provided as arguments to a few specific C-language interfaces
To exploit the vulnerability, an attacker must pass large strings as inputs to the SQLite implementations of the printf functions (sqlite3_str_vappendf) and include the format specifiers “%q,” “%Q,” or “%w” in the format string.
A signed integer overflow is triggered when the sqlite3_str_vappendf function receives a large string and when the format substitution type is %q, %Q, or %w.
However, SQLite database engine was developed in C and is widely used today.
Following operating systems and web browsers include it by default:-
- Google Chrome
- Mozilla Firefox
- Apple Safari
SQLite release 3.39.2 was made available in late July to fix the issue.
There are no reported exploits in the wild related to this vulnerability. However, Trail of Bits published a proof-of-concept exploit codes (see GitHub) and public disclosure of the vulnerability.