CVE-2022-46908

CVSS v3.1

7.3

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions SQLite versions prior to 3.40.0

Description The issue is related to errors in the implementation of the azAllowedFunctions protection mechanism in the SQLite database management system's command-line interface. This could allow an attacker to gain unauthorized access to prohibited user functions. Specifically, when relying on the --safe option for executing untrusted CLI scripts, the azProhibitedFunctions protection mechanism is not properly implemented, allowing User-Defined Functions (UDFs) such as WRITEFILE.

Recommendations For versions prior to 3.40.0, as a temporary workaround, consider disabling the use of UDFs such as WRITEFILE until a patch is available. Restrict access to the azProhibitedFunctions mechanism to minimize the risk of exploitation. Avoid using the --safe option for executing untrusted CLI scripts until the issue is resolved.

Exploit

Fix

Protection Mechanism Failure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-693

Related Identifiers

ALT-PU-2023-1001

AZL-11586

BDU:2023-05686

BIT-SQLITE-2022-46908

CVE-2022-46908

MGASA-2023-0094

OESA-2022-2146

OESA-2023-1219

OPENSUSE-SU-2022_4628-1

OPENSUSE-SU-2024:12574-1

ROSA-SA-2023-2266

SUSE-SU-2022:4603-1

SUSE-SU-2022:4628-1

SUSE-SU-2022_4603-1

SUSE-SU-2022_4628-1

SUSE-SU-2023:1295-1

SUSE-SU-2023:2668-1

SUSE-SU-2023_1295-1

SUSE-SU-2023_2668-1

USN-6566-1

Affected Products

Alt Linux

Linuxmint

Red Os

Sqlite

Suse

Ubuntu

CVE-2022-46908

Weakness Enumeration

Related Identifiers

Affected Products

References · 53