Our scan tool reports vulnerabilies [CVE-2024-5535] in openssl 1. 1.1q used by SQLCipher 4.5.2.Does these vulnerabilities affect the library net.zetetic:androidx-database-sqlcipher? Thaniks

Question

Our scan tool reports vulnerabilies [CVE-2024-5535] in openssl 1. 1.1q used by SQLCipher 4.5.2.Does these vulnerabilities affect the library net.zetetic:androidx-database-sqlcipher? Thaniks

lierliang12345 opened this issue 9 months ago · 2 comments

Our scan tool reports vulnerabilies [CVE-2024-5535] in openssl 1. 1.1q used by SQLCipher 4.5.2.Does these vulnerabilities affect the library net.zetetic:androidx-database-sqlcipher?
Thaniks

Answer 1 · 2024-07-01T13:24:03.000Z

Hi @lierliang12345,

SQLCipher is not impacted by CVE-2024-5535 as it does not utilize SSL_select_next_proto or TLS in general.

Answer 2 · 2024-07-02T10:45:53.000Z

We only use SQLCipher 4.5.2 to encrypt and decrypt Android local database information. Check whether OpenSSL 1.1.1q capabilities are not used and whether OpenSSL 1.1.1q is not affected by all OpenSSL vulnerabilities.
Thaniks