Vulnerability in SQLite3.39.2 BDSA-2023-3555

[sankar-gp]

Our internal tool reported that there is a Vulnerability in SQLite3.39.2

[BDSA-2023-3555]

Description
SQLite is vulnerable to an out-of-bounds memory access issue due to a lack of sufficient input validation in the sessionReadRecord() function.

An attacker could submit a crafted input in order to trigger the flaw which could allow for a 1-byte out-of-bounds read to occur which could lead to information being leaked from memory, or cause instability which could result in a denial-of-service (DoS).

[developernotes]

Hi @sankar-gp,

Thanks for your interest in SQLCipher. Unfortunately, we do not have access to the security advisory you linked to, however, the description sounds similar to CVE-2023-7104 ¹. Please note that this issue is isolated to the session extension, so if your application is not using that extension within SQLCipher, your application would not be affected. We are in the process of preparing the next public SQLCipher release which will be based on upstream SQLite 3.44.2.

Footnotes

1. https://nvd.nist.gov/vuln/detail/CVE-2023-7104 ↩