Nexmo / ruby-2fa

Two Factor Authentication with Nexmo Verify
https://developer.nexmo.com/tutorials/two-factor-authentication
MIT License
1 stars 4 forks source link

sqlite3-1.5.0-x86_64-linux.gem: 1 vulnerabilities (highest severity is: 5.5) - autoclosed #15

Closed mend-for-github-com[bot] closed 2 years ago

mend-for-github-com[bot] commented 2 years ago
Vulnerable Library - sqlite3-1.5.0-x86_64-linux.gem

This module allows Ruby programs to interface with the SQLite3 database engine (http://www.sqlite.org). You must have the SQLite engine installed in order to build this module. Note that this module is only compatible with SQLite 3.6.16 or newer.

Library home page: https://rubygems.org/gems/sqlite3-1.5.0-x86_64-linux.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /em/ruby/2.7.0/cache/sqlite3-1.5.0-x86_64-linux.gem

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
WS-2022-0324 Medium 5.5 sqlite3-1.5.0-x86_64-linux.gem Direct sqlite3 - v1.5.1

Details

WS-2022-0324 ### Vulnerable Library - sqlite3-1.5.0-x86_64-linux.gem

This module allows Ruby programs to interface with the SQLite3 database engine (http://www.sqlite.org). You must have the SQLite engine installed in order to build this module. Note that this module is only compatible with SQLite 3.6.16 or newer.

Library home page: https://rubygems.org/gems/sqlite3-1.5.0-x86_64-linux.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /em/ruby/2.7.0/cache/sqlite3-1.5.0-x86_64-linux.gem

Dependency Hierarchy: - :x: **sqlite3-1.5.0-x86_64-linux.gem** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The rubygem sqlite3 v1.5.1 upgrades the packaged version of libsqlite from v3.39.3 to v3.39.4. libsqlite v3.39.4 addresses a vulnerability described as follows in the release notification: Version 3.39.4 is a minimal patch against the prior release that addresses issues found since the prior release. In particular, a potential vulnerability in the FTS3 extension has been fixed, so this should be considered a security update. In order to exploit the vulnerability, an attacker must have full SQL access and must be able to construct a corrupt database with over 2GB of FTS3 content. The problem arises from a 32-bit signed integer overflow.

Publish Date: 2022-10-03

URL: WS-2022-0324

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-mgvv-5mxp-xq67

Release Date: 2022-10-03

Fix Resolution: sqlite3 - v1.5.1

:rescue_worker_helmet: Automatic Remediation is available for this issue

:rescue_worker_helmet: Automatic Remediation is available for this issue.

mend-for-github-com[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.