modernc.org/sqlite-v1.21.0: 1 vulnerabilities (highest severity is: 5.5) - autoclosed

[dhiaayachi]

Vulnerable Library - modernc.org/sqlite-v1.21.0

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (modernc.org/sqlite-v1.21.0 version)	Remediation Available
CVE-2020-28928	Medium	5.5	modernc.org/libc-v1.22.3	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2020-28928

### Vulnerable Library - modernc.org/libc-v1.22.3

Library home page: https://proxy.golang.org/modernc.org/libc/@v/v1.22.3.zip

Dependency Hierarchy: - modernc.org/sqlite-v1.21.0 (Root Library) - :x: **modernc.org/libc-v1.22.3** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).

Publish Date: 2020-11-24

URL: CVE-2020-28928

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28928

Release Date: 2020-11-24

Fix Resolution: musl - 1.2.2-1,1.2.2-1,1.1.16-3+deb9u1

[dhiaayachi]

Thank you for reporting this vulnerability.

The vulnerability you have reported (CVE-2020-28928) affects the modernc.org/libc library, which is a transitive dependency of modernc.org/sqlite-v1.21.0. Unfortunately, there is no version of modernc.org/sqlite that includes a fix for this vulnerability.

The suggested fix is to upgrade musl to version 1.2.2-1, 1.2.2-1, or 1.1.16-3+deb9u1. However, this may require changes to your project's build configuration.

Please let me know if you have any further questions.

[dhiaayachi]

This vulnerability affects the modernc.org/libc library, which is a transitive dependency of your Temporal project. As mentioned in the details section, the vulnerability is fixed in musl version 1.2.2-1, 1.2.2-1, and 1.1.16-3+deb9u1.

Unfortunately, there isn't a version of modernc.org/sqlite that includes a fixed version of modernc.org/libc. Therefore, you'll need to consider alternative solutions to mitigate this vulnerability:

• Upgrade Temporal to a version that uses a patched modernc.org/libc library: If possible, check if a newer Temporal version includes a fixed version of modernc.org/libc.
• Manually patch the modernc.org/libc library: This requires advanced knowledge of the library and potential risks.
• Use a different SQLite library: If your project allows it, consider using an alternative SQLite library that doesn't depend on modernc.org/libc.
• Restrict access to the vulnerable component: If you can isolate the use of the vulnerable component to a specific part of your project, you can restrict access to this component to mitigate the risk.

Please note that these solutions have their own trade-offs and may require further investigation and implementation. You should consult the Temporal documentation and potentially contact their support for guidance on the most appropriate solution for your project.