Experts disclosed a 22-year-old bug in popular SQLite Database library

A high-severity vulnerability, tracked as CVE-2022-35737, has been disclosed in the SQLite database library.

The security expert Andreas Kellas detailed a high-severity vulnerability, tracked as CVE-2022-35737 (CVSS score: 7.5), in the SQLite database library, which was introduced in October 2000.

The CVE-2022-35737 flaw is an integer overflow issue that impacts SQLite versions 1.0.12 through 3.39.1. The vulnerability was addressed with the release of version 3.39.2 on July 21, 2022.

“SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.” reads the advisory.

An attacker can trigger the issue to execute arbitrary code on the affected system.

“CVE-2022-35737 is exploitable on 64-bit systems, and exploitability depends on how the program is compiled; arbitrary code execution is confirmed when the library is compiled without stack canaries, but unconfirmed when stack canaries are present, and denial-of-service is confirmed in all cases.” Kellas wrote.

The expert explained that in order to exploit the CVE-2022-35737 flaw, attackers have to pass large string inputs to the SQLite implementations of the printf functions and the format string contains the %Q, %q, or %w format substitution types.

The vulnerability ties the way a function, named “sqlite3_str_vappendf,” called by printf handles the string formatting.

A signed integer overflow is triggered when the sqlite3_str_vappendf function receives a large string and when the format substitution type is %q, %Q, or %w.

The researchers also discovered that if the format string contains the ! special character to enable unicode character scanning, then it is possible to achieve arbitrary code execution in the worst case, or to cause a DoS condition.

“it’s a bug that may not have seemed like an error at the time that it was written (dating back to 2000 in the SQLite source code) when systems were primarily 32-bit architectu” Kellas concluded.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SQLite)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.