Due to the underlying implementation of .ToString(), it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object.
Users of sqlite3 v5.0.0 - v5.1.4 are affected by this.
Patches
Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later.
Workarounds
Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.
TryGhost/node-sqlite3 (sqlite3)
### [`v5.1.5`](https://redirect.github.com/TryGhost/node-sqlite3/releases/tag/v5.1.5)
[Compare Source](https://redirect.github.com/TryGhost/node-sqlite3/compare/v5.1.4...v5.1.5)
#### What's Changed
- 🔒 Fixed code execution vulnerability due to Object coercion by [@daniellockyer](https://redirect.github.com/daniellockyer)
- Updated bundled SQLite to v3.41.1 by [@daniellockyer](https://redirect.github.com/daniellockyer)
- Fixed rpath linker option when using a custom sqlite by [@jeromew](https://redirect.github.com/jeromew) in [https://github.com/TryGhost/node-sqlite3/pull/1654](https://redirect.github.com/TryGhost/node-sqlite3/pull/1654)
**Full Changelog**: https://github.com/TryGhost/node-sqlite3/compare/v5.1.4...v5.1.5
### [`v5.1.4`](https://redirect.github.com/TryGhost/node-sqlite3/releases/tag/v5.1.4)
[Compare Source](https://redirect.github.com/TryGhost/node-sqlite3/compare/v5.1.3...v5.1.4)
#### What's Changed
- Fixed glibc compatibility by downgrading CI to Ubuntu 20 by [@daniellockyer](https://redirect.github.com/daniellockyer) in [https://github.com/TryGhost/node-sqlite3/pull/1664](https://redirect.github.com/TryGhost/node-sqlite3/pull/1664)
**Full Changelog**: https://github.com/TryGhost/node-sqlite3/compare/v5.1.3...v5.1.4
### [`v5.1.3`](https://redirect.github.com/TryGhost/node-sqlite3/releases/tag/v5.1.3)
[Compare Source](https://redirect.github.com/TryGhost/node-sqlite3/compare/v5.1.2...v5.1.3)
#### What's Changed
- Updated bundled SQLite to v3.40.0 by [@daniellockyer](https://redirect.github.com/daniellockyer)
**Full Changelog**: https://github.com/TryGhost/node-sqlite3/compare/v5.1.2...v5.1.3
### [`v5.1.2`](https://redirect.github.com/TryGhost/node-sqlite3/releases/tag/v5.1.2)
[Compare Source](https://redirect.github.com/TryGhost/node-sqlite3/compare/v5.1.1...v5.1.2)
#### What's Changed
- Updated bundled SQLite to v3.39.4 by [@daniellockyer](https://redirect.github.com/daniellockyer)
**Full Changelog**: https://github.com/TryGhost/node-sqlite3/compare/v5.1.1...v5.1.2
### [`v5.1.1`](https://redirect.github.com/TryGhost/node-sqlite3/releases/tag/v5.1.1)
[Compare Source](https://redirect.github.com/TryGhost/node-sqlite3/compare/v5.1.0...v5.1.1)
#### What's Changed
- Added Darwin ARM64 binaries by [@daniellockyer](https://redirect.github.com/daniellockyer) in [https://github.com/TryGhost/node-sqlite3/pull/1594](https://redirect.github.com/TryGhost/node-sqlite3/pull/1594)
A huge thanks to [MacStadium](https://www.macstadium.com/) for providing an M1 Mac Mini so we can offer ARM64 binaries.
**Full Changelog**: https://github.com/TryGhost/node-sqlite3/compare/v5.1.0...v5.1.1
### [`v5.1.0`](https://redirect.github.com/TryGhost/node-sqlite3/releases/tag/v5.1.0)
[Compare Source](https://redirect.github.com/TryGhost/node-sqlite3/compare/v5.0.11...v5.1.0)
✨ We're very excited to announce node-sqlite3's first minor release of v5, packed with features and improvements.
If you encounter any problems, please open a detailed issue using the [templates](https://redirect.github.com/TryGhost/node-sqlite3/issues/new/choose).
#### What's Changed
- Updated bundled SQLite to v3.39.3 by [@daniellockyer](https://redirect.github.com/daniellockyer)
- Added ability to receive updates from `sqlite3_update_hook` by [@soukand](https://redirect.github.com/soukand) in [https://github.com/TryGhost/node-sqlite3/pull/1267](https://redirect.github.com/TryGhost/node-sqlite3/pull/1267)
- Added support for setting SQLite limits by [@paulfitz](https://redirect.github.com/paulfitz) in [https://github.com/TryGhost/node-sqlite3/pull/1548](https://redirect.github.com/TryGhost/node-sqlite3/pull/1548)
- Added library types file by [@bpasero](https://redirect.github.com/bpasero) in [https://github.com/TryGhost/node-sqlite3/pull/1527](https://redirect.github.com/TryGhost/node-sqlite3/pull/1527)
- Added `package-lock.json` to `.gitignore` by [@JoelEinbinder](https://redirect.github.com/JoelEinbinder) in [https://github.com/TryGhost/node-sqlite3/pull/1628](https://redirect.github.com/TryGhost/node-sqlite3/pull/1628)
- Fixed remaining method declarations by [@alexanderfloh](https://redirect.github.com/alexanderfloh) in [https://github.com/TryGhost/node-sqlite3/pull/1633](https://redirect.github.com/TryGhost/node-sqlite3/pull/1633)
- Fixed importing `sqlite3#verbose` using destructuring syntax by [@mahdi-farnia](https://redirect.github.com/mahdi-farnia) in [https://github.com/TryGhost/node-sqlite3/pull/1632](https://redirect.github.com/TryGhost/node-sqlite3/pull/1632)
#### New Contributors
- [@JoelEinbinder](https://redirect.github.com/JoelEinbinder) made their first contribution in [https://github.com/TryGhost/node-sqlite3/pull/1628](https://redirect.github.com/TryGhost/node-sqlite3/pull/1628)
- [@mahdi-farnia](https://redirect.github.com/mahdi-farnia) made their first contribution in [https://github.com/TryGhost/node-sqlite3/pull/1632](https://redirect.github.com/TryGhost/node-sqlite3/pull/1632)
- [@soukand](https://redirect.github.com/soukand) made their first contribution in [https://github.com/TryGhost/node-sqlite3/pull/1267](https://redirect.github.com/TryGhost/node-sqlite3/pull/1267)
**Full Changelog**: https://github.com/TryGhost/node-sqlite3/compare/v5.0.11...v5.1.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
5.0.11->5.1.5GitHub Vulnerability Alerts
CVE-2022-43441
Impact
Due to the underlying implementation of
.ToString(), it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object.Users of
sqlite3v5.0.0 - v5.1.4 are affected by this.Patches
Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later.
Workarounds
References
For more information
If you have any questions or comments about this advisory:
Credits: Dave McDaniel of Cisco Talos
Release Notes
TryGhost/node-sqlite3 (sqlite3)
### [`v5.1.5`](https://redirect.github.com/TryGhost/node-sqlite3/releases/tag/v5.1.5) [Compare Source](https://redirect.github.com/TryGhost/node-sqlite3/compare/v5.1.4...v5.1.5) #### What's Changed - 🔒 Fixed code execution vulnerability due to Object coercion by [@daniellockyer](https://redirect.github.com/daniellockyer) - Updated bundled SQLite to v3.41.1 by [@daniellockyer](https://redirect.github.com/daniellockyer) - Fixed rpath linker option when using a custom sqlite by [@jeromew](https://redirect.github.com/jeromew) in [https://github.com/TryGhost/node-sqlite3/pull/1654](https://redirect.github.com/TryGhost/node-sqlite3/pull/1654) **Full Changelog**: https://github.com/TryGhost/node-sqlite3/compare/v5.1.4...v5.1.5 ### [`v5.1.4`](https://redirect.github.com/TryGhost/node-sqlite3/releases/tag/v5.1.4) [Compare Source](https://redirect.github.com/TryGhost/node-sqlite3/compare/v5.1.3...v5.1.4) #### What's Changed - Fixed glibc compatibility by downgrading CI to Ubuntu 20 by [@daniellockyer](https://redirect.github.com/daniellockyer) in [https://github.com/TryGhost/node-sqlite3/pull/1664](https://redirect.github.com/TryGhost/node-sqlite3/pull/1664) **Full Changelog**: https://github.com/TryGhost/node-sqlite3/compare/v5.1.3...v5.1.4 ### [`v5.1.3`](https://redirect.github.com/TryGhost/node-sqlite3/releases/tag/v5.1.3) [Compare Source](https://redirect.github.com/TryGhost/node-sqlite3/compare/v5.1.2...v5.1.3) #### What's Changed - Updated bundled SQLite to v3.40.0 by [@daniellockyer](https://redirect.github.com/daniellockyer) **Full Changelog**: https://github.com/TryGhost/node-sqlite3/compare/v5.1.2...v5.1.3 ### [`v5.1.2`](https://redirect.github.com/TryGhost/node-sqlite3/releases/tag/v5.1.2) [Compare Source](https://redirect.github.com/TryGhost/node-sqlite3/compare/v5.1.1...v5.1.2) #### What's Changed - Updated bundled SQLite to v3.39.4 by [@daniellockyer](https://redirect.github.com/daniellockyer) **Full Changelog**: https://github.com/TryGhost/node-sqlite3/compare/v5.1.1...v5.1.2 ### [`v5.1.1`](https://redirect.github.com/TryGhost/node-sqlite3/releases/tag/v5.1.1) [Compare Source](https://redirect.github.com/TryGhost/node-sqlite3/compare/v5.1.0...v5.1.1) #### What's Changed - Added Darwin ARM64 binaries by [@daniellockyer](https://redirect.github.com/daniellockyer) in [https://github.com/TryGhost/node-sqlite3/pull/1594](https://redirect.github.com/TryGhost/node-sqlite3/pull/1594) A huge thanks to [MacStadium](https://www.macstadium.com/) for providing an M1 Mac Mini so we can offer ARM64 binaries. **Full Changelog**: https://github.com/TryGhost/node-sqlite3/compare/v5.1.0...v5.1.1 ### [`v5.1.0`](https://redirect.github.com/TryGhost/node-sqlite3/releases/tag/v5.1.0) [Compare Source](https://redirect.github.com/TryGhost/node-sqlite3/compare/v5.0.11...v5.1.0) ✨ We're very excited to announce node-sqlite3's first minor release of v5, packed with features and improvements. If you encounter any problems, please open a detailed issue using the [templates](https://redirect.github.com/TryGhost/node-sqlite3/issues/new/choose). #### What's Changed - Updated bundled SQLite to v3.39.3 by [@daniellockyer](https://redirect.github.com/daniellockyer) - Added ability to receive updates from `sqlite3_update_hook` by [@soukand](https://redirect.github.com/soukand) in [https://github.com/TryGhost/node-sqlite3/pull/1267](https://redirect.github.com/TryGhost/node-sqlite3/pull/1267) - Added support for setting SQLite limits by [@paulfitz](https://redirect.github.com/paulfitz) in [https://github.com/TryGhost/node-sqlite3/pull/1548](https://redirect.github.com/TryGhost/node-sqlite3/pull/1548) - Added library types file by [@bpasero](https://redirect.github.com/bpasero) in [https://github.com/TryGhost/node-sqlite3/pull/1527](https://redirect.github.com/TryGhost/node-sqlite3/pull/1527) - Added `package-lock.json` to `.gitignore` by [@JoelEinbinder](https://redirect.github.com/JoelEinbinder) in [https://github.com/TryGhost/node-sqlite3/pull/1628](https://redirect.github.com/TryGhost/node-sqlite3/pull/1628) - Fixed remaining method declarations by [@alexanderfloh](https://redirect.github.com/alexanderfloh) in [https://github.com/TryGhost/node-sqlite3/pull/1633](https://redirect.github.com/TryGhost/node-sqlite3/pull/1633) - Fixed importing `sqlite3#verbose` using destructuring syntax by [@mahdi-farnia](https://redirect.github.com/mahdi-farnia) in [https://github.com/TryGhost/node-sqlite3/pull/1632](https://redirect.github.com/TryGhost/node-sqlite3/pull/1632) #### New Contributors - [@JoelEinbinder](https://redirect.github.com/JoelEinbinder) made their first contribution in [https://github.com/TryGhost/node-sqlite3/pull/1628](https://redirect.github.com/TryGhost/node-sqlite3/pull/1628) - [@mahdi-farnia](https://redirect.github.com/mahdi-farnia) made their first contribution in [https://github.com/TryGhost/node-sqlite3/pull/1632](https://redirect.github.com/TryGhost/node-sqlite3/pull/1632) - [@soukand](https://redirect.github.com/soukand) made their first contribution in [https://github.com/TryGhost/node-sqlite3/pull/1267](https://redirect.github.com/TryGhost/node-sqlite3/pull/1267) **Full Changelog**: https://github.com/TryGhost/node-sqlite3/compare/v5.0.11...v5.1.0Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.