GHSA-jqv5-7xpx-qj74

Suggest an improvement
Source
https://github.com/advisories/GHSA-jqv5-7xpx-qj74
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-jqv5-7xpx-qj74/GHSA-jqv5-7xpx-qj74.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jqv5-7xpx-qj74
Aliases
Published
2023-03-13T20:00:52Z
Modified
2023-11-08T04:10:44.194191Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
sqlite vulnerable to code execution due to Object coercion
Details

Impact

Due to the underlying implementation of .ToString(), it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object.

Users of sqlite3 v5.0.0 - v5.1.4 are affected by this.

Patches

Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later.

Workarounds

  • Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.

References

  • Commit: https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781

For more information

If you have any questions or comments about this advisory:

Credits: Dave McDaniel of Cisco Talos

References

Affected packages

npm / sqlite3

Package

Affected ranges

Type
SEMVER
Events
Introduced
5.0.0
Fixed
5.1.5