Vulnerability DatabaseWS-2022-0324
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
WS-2022-0324
November 03, 2024
The rubygem sqlite3 v1.5.1 upgrades the packaged version of libsqlite from v3.39.3 to v3.39.4. libsqlite v3.39.4 addresses a vulnerability described as follows in the release notification: Version 3.39.4 is a minimal patch against the prior release that addresses issues found since the prior release. In particular, a potential vulnerability in the FTS3 extension has been fixed, so this should be considered a security update. In order to exploit the vulnerability, an attacker must have full SQL access and must be able to construct a corrupt database with over 2GB of FTS3 content. The problem arises from a 32-bit signed integer overflow.
Related Resources (4)
https://github.com/sparklemotion/sqlite3-ruby/commit/8ebb39d36483a2f3fd6601ac10a5fae899ce1208#diff-bd08eecf2a8519d8fd0dab9cbbc37b9f2bf123e3a75beb7247045a82fa98fa82
https://github.com/sparklemotion/sqlite3-ruby
https://github.com/sparklemotion/sqlite3-ruby/security/advisories/GHSA-mgvv-5mxp-xq67
https://github.com/sparklemotion/sqlite3-ruby/releases/tag/v1.5.1
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.7
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH