This module allows Ruby programs to interface with the SQLite3
database engine (http://www.sqlite.org). You must have the
SQLite engine installed in order to build this module.
Note that this module is only compatible with SQLite 3.6.16 or newer.
This module allows Ruby programs to interface with the SQLite3
database engine (http://www.sqlite.org). You must have the
SQLite engine installed in order to build this module.
Note that this module is only compatible with SQLite 3.6.16 or newer.
The rubygem sqlite3 v1.5.1 upgrades the packaged version of libsqlite from v3.39.3 to v3.39.4.
libsqlite v3.39.4 addresses a vulnerability described as follows in the release notification:
Version 3.39.4 is a minimal patch against the prior release that addresses issues found since the
prior release. In particular, a potential vulnerability in the FTS3 extension has been fixed, so
this should be considered a security update.
In order to exploit the vulnerability, an attacker must have full SQL access and must be able to
construct a corrupt database with over 2GB of FTS3 content. The problem arises from a 32-bit
signed integer overflow.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - sqlite3-1.5.0-x86_64-linux.gem
This module allows Ruby programs to interface with the SQLite3 database engine (http://www.sqlite.org). You must have the SQLite engine installed in order to build this module. Note that this module is only compatible with SQLite 3.6.16 or newer.
Library home page: https://rubygems.org/gems/sqlite3-1.5.0-x86_64-linux.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /em/ruby/2.7.0/cache/sqlite3-1.5.0-x86_64-linux.gem
Vulnerabilities
Details
WS-2022-0324
### Vulnerable Library - sqlite3-1.5.0-x86_64-linux.gemThis module allows Ruby programs to interface with the SQLite3 database engine (http://www.sqlite.org). You must have the SQLite engine installed in order to build this module. Note that this module is only compatible with SQLite 3.6.16 or newer.
Library home page: https://rubygems.org/gems/sqlite3-1.5.0-x86_64-linux.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /em/ruby/2.7.0/cache/sqlite3-1.5.0-x86_64-linux.gem
Dependency Hierarchy: - :x: **sqlite3-1.5.0-x86_64-linux.gem** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe rubygem sqlite3 v1.5.1 upgrades the packaged version of libsqlite from v3.39.3 to v3.39.4. libsqlite v3.39.4 addresses a vulnerability described as follows in the release notification: Version 3.39.4 is a minimal patch against the prior release that addresses issues found since the prior release. In particular, a potential vulnerability in the FTS3 extension has been fixed, so this should be considered a security update. In order to exploit the vulnerability, an attacker must have full SQL access and must be able to construct a corrupt database with over 2GB of FTS3 content. The problem arises from a 32-bit signed integer overflow.
Publish Date: 2022-10-03
URL: WS-2022-0324
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-mgvv-5mxp-xq67
Release Date: 2022-10-03
Fix Resolution: sqlite3 - v1.5.1
:rescue_worker_helmet: Automatic Remediation is available for this issue:rescue_worker_helmet: Automatic Remediation is available for this issue.