Hi,

Please help with a fix availability date of SQlite next version for security vulnerability CVE-2022-46908 (BDSA-2022-3544) which has been identified in 3.39.4 & 3.40.0 versions

Please help with a fix availability date of SQlite next version for security vulnerability ...

https://nvd.nist.gov/vuln/detail/CVE-2022-46908

says:

SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.

The CVE does not make it clear, but this affects only the CLI shell application, not the library. If you only use the library, you are 100% unaffected by it.

Please help with a fix availability date of SQlite next version for security vulnerability ...

PS: it's already been fixed. See /forumpost/07beac8056151b2f.

Thanks for quick response.

Can you please confirm if this vulnerability is applicable to version 3.39.4 as well.

Can you please confirm if this vulnerability is applicable to version 3.39.4 as well.

3.39.4 was released on 2022-09-29, more than 2 months before that fix was made, so it is hypothetically also affected. (If you need to know for sure, try it and find out by following the instructions in /forumpost/07beac8056151b2f!) Again, though: only the CLI shell app is affected, not the library. Client applications based on the library are not affected and there is nothing to fix in the library-level code.

The recently fixed flaw in implementation of the CLI's -safe mode has existed since the inception of the -safe feature.

The quick turn-around on the patch is great, thank you to the SQLite team.

I believe the questioner is asking about a release incorporating this change, as many security analysis tools aren't sufficiently sophisticated to detect changes in the source but instead rely on the cruder version information present in the libraries and executables. I recognize that making a release is a non-trivial undertaking and a single CVE, even if labeled critical, may be insufficient to trigger that process.

Whatever the SQLite team decides, could CVE-2022-46908 be added to the vulnerability page with the position of the team is on the issue, even if just to say it isn't considered critical because of the limitations on its impact?

Thanks for your time and effort on this critical library.

could CVE-2022-46908 be added to the vulnerability page

I did that yesterday, but then I forgot to type the command to upload the changes from the staging area to the actual website. Fixed now.

Wanted to let the SQLite team know that I made a request to NIST to reclassify this issue based on the information on the vulnerabilities page. Hopefully they can reclassify this CVE to a more appropriate level given the limited nature of its impact.

After some discussion with NIST, this issue has had its base score reduced from 9.8 / Critical to 7.3 / High. I believe this is a reasonable scoring given the nature of the impact. It doesn't appear there's a way within the CVE system to distinguish the library SQLite from much less widely distributed CLI component.