CVE-2022-46908

HIGH
Published Dec 12, 20223y ago · Modified Jun 17, 20261w ago
7.3 CVSS 3.1
High
Find Similar
Published Dec 12, 2022 3y ago
Last Modified Jun 17, 2026 1w ago

Description

SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.

CVSS Details

Base Score
7.3
Exploitability
1.8
Impact
5.5
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability Low

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Affected Products 1

VendorProductVersionRange
sqlitesqlite*≥3.37.0  –  <3.40.1

References 5

  • news.ycombinator.com https://news.ycombinator.com/item?id=33948588
    ExploitIssue TrackingThird Party Advisory
  • security.gentoo.org https://security.gentoo.org/glsa/202311-03
  • security.netapp.com https://security.netapp.com/advisory/ntap-20230203-0005/
    Third Party Advisory
  • sqlite.org https://sqlite.org/forum/forumpost/07beac8056151b2f
    ExploitIssue TrackingVendor Advisory
  • sqlite.org https://sqlite.org/src/info/cefc032473ac5ad2
    PatchVendor Advisory

Remediation

  • sqlite.org https://sqlite.org/src/info/cefc032473ac5ad2
    PatchVendor Advisory