Update for SQLCipher with SQLite3 version 3.42.0
serajahmad01 opened this issue · 3 comments
SQLCipher version: 4.5.3
We are getting the below vulnerability in our scans related to SQLite3 version 3.39.4 which is being used in SQLCipher 4.5.3
https://nvd.nist.gov/vuln/detail/CVE-2023-36191
Is this vulnerability fixed in new SQLCipher version "4.5.4"?
When will the SQLCipher update be coming with the updated SQLite3 version "3.42.0"?
Hello @serajahmad01 - SQLCipher 4.5.4 is based on SQLite 3.41.2. According to the CVE, this affects 3.40.1, however that is incorrect, and this issue currently affects 3.42.0. The upstream fix has not yet been included in an official SQLite release, so updating SQLCipher to use 3.42.0 would not address this.
In addition, this problem only impacts the command line shell program. The shell is not part of the SQLCipher library and would not be included in any application integration packages. Therefore, applications embed the SQLCipher library are not affected by the CVE.
The next SQLCipher release would be based on an updated stable version of SQLite. If the fix is available in a stable version at that time, it will be included. We don't have a firm schedule for the next release at this time.
For reference, SQLite developers have issued a statement disputing the validity of this CVE:
The latest sqlcipher release of 4.5.5 is based on SQLite 3.42.0