CVE-2022-21227

EUVD-2022-1694
The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
snykCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 65%
Affected Products (NVD)
VendorProductVersion
ghostsqlite3
𝑥
< 5.0.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-sqlite3
bookworm
5.1.5+ds1-1
fixed
bullseye
5.0.0+ds1-1+deb11u2
fixed
bullseye (security)
5.0.0+ds1-1+deb11u2
fixed
buster
not-affected
sid
5.1.5+ds1-1
fixed
trixie
5.1.5+ds1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-sqlite3
bionic
needs-triage
focal
needs-triage
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
xenial
needs-triage
References
https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4a
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805470
https://snyk.io/vuln/SNYK-JS-SQLITE3-2388645
https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4a
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805470
https://snyk.io/vuln/SNYK-JS-SQLITE3-2388645