Vulnerability in SQLite3.39.2 CVE-2024-0232

Question

Vulnerability in SQLite3.39.2 CVE-2024-0232

sankar-gp opened this issue a year ago · 5 comments

Our internal tool reported that there is a Vulnerability in SQLite3.39.2

CVE-2024-0232

A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service.

Answer 1 · 2024-01-30T16:31:58.000Z

Hello @sankar-gp,

This issue was addressed in SQLite upstream 3.43.2. The latest SQLCipher release, 4.5.6 is based on SQLite upstream 3.44.2. Please note that we stopped releasing Community builds of android-database-sqlcipher with 4.5.4 which is based on SQLite upstream 3.41.2. Our long-term supported replacement for android-database-sqlcipher is sqlcipher-android. If you are a Commercial customer using android-database-sqlcipher, please feel free to reach out directly at support@zetetic.net.

Answer 2 · 2024-01-30T18:19:08.000Z

Does this issue Vulnerability our application?

Answer 3 · 2024-01-30T21:54:38.000Z

Hi @sankar-gp,

If your application is using SQLite 3.39.2, via SQLCipher 4.5.2 we would recommend you update your library.

Answer 4 · 2024-01-31T02:57:39.000Z

We are using 'net.zetetic:android-database-sqlcipher:4.5.3@aar' and 'net.zetetic:android-database-sqlcipher:4.5.4@aar' versions in our app

Answer 5 · 2024-01-31T14:43:50.000Z

@sankar-gp - it appears you have cross-posted this issue in several places, please reference our response to your question on the SQLCipher Discussion Site.