CVE-2022-21227
Publication date 1 May 2022
Last updated 24 July 2024
Ubuntu priority
The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| node-sqlite3 | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Other references
- https://github.com/advisories/GHSA-9qrh-qjmc-5w2p
- https://security.snyk.io/vuln/SNYK-JS-SQLITE3-2388645
- https://snyk.io/vuln/SNYK-JS-SQLITE3-2388645
- https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4a
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805470
- https://www.cve.org/CVERecord?id=CVE-2022-21227