CVE-2021-45346 - OpenCVE

A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Sqlite	Sqlite
Netapp	Ontap Select Deploy Administration Utility

Configuration 1 [-]

OR	cpe:2.3:a:sqlite:sqlite:3.35.1:::::::*
	cpe:2.3:a:sqlite:sqlite:3.37.0:::::::*

Configuration 2 [-]

cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/guyinatuxedo/sqlite3_record_leaking	Exploit Third Party Advisory
https://security.netapp.com/advisory/ntap-20220303-0001/	Third Party Advisory
https://sqlite.org/forum/forumpost/056d557c2f8c452ed5	Vendor Advisory
https://sqlite.org/forum/forumpost/53de8864ba114bf6	Vendor Advisory
https://www.sqlite.org/cves.html#status_of_recent_sqlite_cves	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-02-14T00:00:00

Updated: 2022-10-31T00:00:00

Reserved: 2021-12-20T00:00:00

Link: CVE-2021-45346

JSON object: View

NVD Information

Status : Modified

Published: 2022-02-14T19:15:07.793

Modified: 2024-05-17T02:02:33.327

Link: CVE-2021-45346

JSON object: View

Redhat Information

No data.

CWE

CWE-401

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sqlite:sqlite:3.35.1:*:*:*:*:*:*:*", "matchCriteriaId": "957B4E14-84C0-45C8-96C3-C78D17FB4DA5", "vulnerable": true}, {"criteria": "cpe:2.3:a:sqlite:sqlite:3.37.0:*:*:*:*:*:*:*", "matchCriteriaId": "3CB2AF7E-0D10-47B6-B2F1-751A599A3E96", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", "matchCriteriaId": "E7CF3019-975D-40BB-A8A4-894E62BD3797", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect."}, {"lang": "es", "value": "** EN DISPUTA ** Se presenta una vulnerabilidad de p\u00e9rdida de memoria en SQLite Project SQLite3 versiones 3.35.1 y 3.37.0 por medio de consultas SQL dise\u00f1adas de forma maliciosa (realizadas por medio de la edici\u00f3n del archivo de la base de datos), es posible consultar un registro, y filtrar los bytes de memoria subsiguientes que son extendidos m\u00e1s all\u00e1 del registro, lo que podr\u00eda permitir a un usuario malicioso obtener informaci\u00f3n confidencial. NOTA: El desarrollador disputa esto como una vulnerabilidad afirmando que si le das a SQLite un archivo de base de datos corrupto y env\u00edas una consulta contra la base de datos, podr\u00eda leer partes de la base de datos que no pretend\u00edas o esperabas"}], "id": "CVE-2021-45346", "lastModified": "2024-05-17T02:02:33.327", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-14T19:15:07.793", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/guyinatuxedo/sqlite3_record_leaking"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220303-0001/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://sqlite.org/forum/forumpost/056d557c2f8c452ed5"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://sqlite.org/forum/forumpost/53de8864ba114bf6"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.sqlite.org/cves.html#status_of_recent_sqlite_cves"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}