Trail of Bits researcher Andreas Kellas recently disclosed a 22-Years-Old SQLite bug which has been tracked as “CVE-2022-35737.” The SQLite database library has been found to contain this vulnerability that has a high severity level.
In October 2000 several code changes were made which led to the occurrence of this high-severity vulnerability. Threat actors could exploit this flaw to crash and control programs if they succeeded in exploiting it.
While it has been confirmed that this severe SQLite Bug could be exploited on systems that are based on 64-bit architecture. However, the extent to which a program is exploitable depends on the way it is compiled.
Using this issue SQLite Bug, an attacker could execute arbitrary code on the affected system as a result of exploiting the vulnerability. SQLite’s printf functions require attackers to pass large strings as inputs and the format string contains %Q, %q, or %w substitutions.
According to the report, The following are the affected versions as well as the version that has been fixed:-
This severe vulnerability has been discovered in the way the string formatting is handled by a function that is known as “sqlite3_str_vappendf” and this function is called by printf.
When a library is compiled without stack canaries, the possibility of running arbitrary code is confirmed. But, the presence of stack canaries implies the execution of arbitrary code, whereas DDoS is always confirmed in all cases.
The SQLite database engine was developed in C and is widely used today. The following operating systems and web browsers include it by default:-
OS:
Web Browsers:
The SQLite printf function is not vulnerable to widespread attacks in all systems and applications that apply it. Besides being a very serious vulnerability, it is also an example of a scenario that was once considered to be unfeasible decades ago.
Managed DDoS Attack Protection for Applications – Download Free Guide
A critical vulnerability in Ray, an open-source AI framework that is widely utilized across various sectors, including education, cryptocurrency, and…
Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two Chinese Advanced Persistent Threat (APT) groups…
Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft SharePoint Server, CVE-2023-24955. This vulnerability poses…
Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included in the Edge Bounty Program. The…
Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user devices into proxy nodes, potentially engaging…
Despite AMD's growing market share with Zen CPUs, Rowhammer attacks were absent due to challenges in reverse engineering DRAM addressing,…