CVE-2022-35737 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADP	ADP	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 97%

Affected Products (NVD)

Vendor	Product	Version
sqlite	sqlite	1.0.12 ≤ 𝑥 < 3.39.2
netapp	ontap_select_deploy_administration_utility	-
splunk	universal_forwarder	8.2.0 ≤ 𝑥 < 8.2.12
splunk	universal_forwarder	9.0.0 ≤ 𝑥 < 9.0.6
splunk	universal_forwarder	9.1.0

𝑥

= Vulnerable software versions

Windows Releases

Platform

Version

Windows 10

1809 (arm64, x64, x86)	KB5034127
21H2 (arm64, x64, x86)	KB5034122
22H2 (arm64, x64, x86)	KB5034122

Windows Server 2019

Server Core	KB5034127
Standard	KB5034127

Windows Server 2022

Server Core	KB5034129
Standard	KB5034129

Debian Releases

Debian Product

Codename

sqlite3

bookworm	3.40.1-2 fixed
bullseye	unimportant
bullseye (security)	unimportant
sid	3.46.1-1 fixed
trixie	3.46.1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

sqlite

bionic	not-affected
focal	not-affected
jammy	not-affected
kinetic	not-affected
lunar	dne
mantic	dne
noble	dne
trusty	not-affected
xenial	needed

sqlite3

bionic	Fixed 3.22.0-1ubuntu0.7 released
focal	Fixed 3.31.1-4ubuntu0.5 released
jammy	Fixed 3.37.2-2ubuntu0.1 released
kinetic	not-affected
lunar	not-affected
mantic	not-affected
noble	not-affected
trusty	Fixed 3.8.2-1ubuntu2.2+esm3 released
xenial	Fixed 3.11.0-1ubuntu1.5+esm2 released

Known Exploits!

Common Weakness Enumeration

CWE-129 - Improper Validation of Array Index
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

References

https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/

https://kb.cert.org/vuls/id/720344

https://security.gentoo.org/glsa/202210-40

https://security.netapp.com/advisory/ntap-20220915-0009/

https://sqlite.org/releaselog/3_39_2.html

https://www.sqlite.org/cves.html

https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/

https://kb.cert.org/vuls/id/720344

https://security.gentoo.org/glsa/202210-40

https://security.netapp.com/advisory/ntap-20220915-0009/

https://sqlite.org/releaselog/3_39_2.html

https://www.sqlite.org/cves.html