Bug 2080841 (CVE-2022-21227) - CVE-2022-21227 sqlite3: Denial of Service (DoS) in sqlite3
Summary: CVE-2022-21227 sqlite3: Denial of Service (DoS) in sqlite3
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2022-21227
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2080842
Blocks: 2080843
TreeView+ depends on / blocked
 
Reported: 2022-05-02 06:58 UTC by Avinash Hanwate
Modified: 2024-03-20 10:30 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in sqlite3. The flaw occurs due to a segmentation fault of an invalid toString() object. Users experience a fatal error when supplying a specific object in the parameter array due to this issue.
Clone Of:
Environment:
Last Closed: 2022-05-02 11:45:13 UTC
Embargoed:


Attachments (Terms of Use)

Description Avinash Hanwate 2022-05-02 06:58:51 UTC
The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine.

https://snyk.io/vuln/SNYK-JS-SQLITE3-2388645
https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4a
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805470

Comment 1 Avinash Hanwate 2022-05-02 06:59:11 UTC
Created sqlite3 tracking bugs for this issue:

Affects: fedora-all [bug 2080842]

Comment 3 Product Security DevOps Team 2022-05-02 11:45:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-21227


Note You need to log in before you can comment on or make changes to this bug.