CVE-2022-43441

Description

### Impact Due to the underlying implementation of `.ToString()`, it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object. Users of `sqlite3` v5.0.0 - v5.1.4 are affected by this. ### Patches Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later. ### Workarounds * Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters. ### References * Commit: https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781 ### For more information If you have any questions or comments about this advisory: * Email us at [security@ghost.org](mailto:security@ghost.org) Credits: Dave McDaniel of Cisco Talos

How to fix CVE-2022-43441

To remediate CVE-2022-43441, upgrade the affected package to a fixed version below.

• —upgrade to 5.0.0+ds1-1+deb11u2 or later
• —upgrade to 5.0.0+ds1-1+deb11u2 or later
• —upgrade to 5.1.5 or later

Is CVE-2022-43441 being exploited?

Moderate — EPSS is 6.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

• from 0, < 5.0.0+ds1-1+deb11u2
• from 0, < 5.0.0+ds1-1+deb11u2
• >= 5.0.0, < 5.1.5

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-43441
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-43441
• PATCHgithub.com/TryGhost/node-sqlite3
• WEBgithub.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781