Описание
Denial-of-Service when binding invalid parameters in sqlite3
Affected versions of sqlite3 will experience a fatal error when supplying a specific object in the parameter array. This error causes the application to crash and could not be caught. Users of sqlite3 v5.0.0, v5.0.1 and v5.0.2 are affected by this. This issue is fixed in v5.0.3. All users are recommended to upgrade to v5.0.3 or later. Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters as a workaround.
Ссылки
- https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-9qrh-qjmc-5w2p
- https://nvd.nist.gov/vuln/detail/CVE-2022-21227
- https://github.com/TryGhost/node-sqlite3/issues/1440
- https://github.com/TryGhost/node-sqlite3/issues/1449
- https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4a
- https://security.snyk.io/vuln/SNYK-JS-SQLITE3-2388645
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805470
- https://snyk.io/vuln/SNYK-JS-SQLITE3-2388645
Пакеты
sqlite3
>= 5.0.0, < 5.0.3
5.0.3
Связанные уязвимости
The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine.
The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine.
The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine.
The package sqlite3 before 5.0.3 are vulnerable to Denial of Service ( ...
Уязвимость компонента V8 системы управления базами данных SQLite позволяющая нарушителю вызвать отказ в обслуживании