Vulnerability in SQLite3.39.2 CVE-2024-0232

[sankar-gp]

Our internal tool reported that there is a Vulnerability in SQLite3.39.2

CVE-2024-0232

A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service.

[developernotes]

Hello @sankar-gp,

This issue was addressed in SQLite upstream 3.43.2. The latest SQLCipher release, 4.5.6 is based on SQLite upstream 3.44.2. Please note that we stopped releasing Community builds of android-database-sqlcipher with 4.5.4 which is based on SQLite upstream 3.41.2. Our long-term supported replacement for android-database-sqlcipher is sqlcipher-android. If you are a Commercial customer using android-database-sqlcipher, please feel free to reach out directly at support@zetetic.net.

[sankar-gp]

Does this issue Vulnerability our application?

[developernotes]

Hi @sankar-gp,

If your application is using SQLite 3.39.2, via SQLCipher 4.5.2 we would recommend you update your library.

[sankar-gp]

We are using 'net.zetetic:android-database-sqlcipher:4.5.3@aar' and 'net.zetetic:android-database-sqlcipher:4.5.4@aar' versions in our app

[sjlombardo]

@sankar-gp - it appears you have cross-posted this issue in several places, please reference our response to your question on the SQLCipher Discussion Site.