Headline
GHSA-jqv5-7xpx-qj74: sqlite vulnerable to code execution due to Object coercion
Impact
Due to the underlying implementation of .ToString(), it’s possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object.
Users of sqlite3 v5.0.0 - v5.1.4 are affected by this.
Patches
Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later.
Workarounds
- Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.
References
- Commit: https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Credits: Dave McDaniel of Cisco Talos
Impact
Due to the underlying implementation of .ToString(), it’s possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object.
Users of sqlite3 v5.0.0 - v5.1.4 are affected by this.
Patches
Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later.
Workarounds
- Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.
References
- Commit: TryGhost/node-sqlite3@edb1934
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Credits: Dave McDaniel of Cisco Talos
References
- GHSA-jqv5-7xpx-qj74
- TryGhost/node-sqlite3@edb1934
Related news
A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.
Due to JSON format limitations, the vulnerability only manifests itself as a remote denial of service in Ghost CMS, which crashes the Node.js process. However, the vulnerability could potentially lead to remote code execution in other products that use it.
Debian Linux Security Advisory 5373-1 - Dave McDaniel discovered that the SQLite3 bindings for Node.js were susceptible to the execution of arbitrary JavaScript code if a binding parameter is a crafted object.