search

storesafe / cordova-sqlite-storage

A Cordova/PhoneGap plugin to open and use sqlite databases on Android, iOS and Windows with HTML5/Web SQL API
Other
2.14k stars 713 forks source link

Do you have plans to upgrade the SQLite vulnerabilities #1019

Open jzonehu opened 4 months ago

jzonehu commented 4 months ago

This package has been identified with the following CVEs:

CVE-2022-21227 CVE-2022-46908 CVE-2023-7104

It appears that the underlying libsqlc-ndk-native-driver.so needs to be upgraded from SQLite 3.40.0 to version 3.43.0 or higher. Do you have plans to perform this upgrade?

MikeDimmickMnetics commented 3 months ago

The opinion of the SQLite developers towards CVEs can be found here: https://www.sqlite.org/cves.html.

The three CVEs you have listed are listed there:

  1. CVE-2022-21227 relates to the sqlite3 npm package, not this plugin, and not to the core SQLite engine.
  2. CVE-2022-46908 relates to the command line sqlite3 program and the possibility that its --safe switch allows some unsafe syntax. This plugin doesn't include the CLI.
  3. CVE-2023-7104 relates to the session extension, which is disabled by default. It has to be enabled at compile time. The distributed libsqlc-ndk-native-driver.so doesn't include it. The vulnerability is in a C-language API that this plugin doesn't use and doesn't expose.