1 High and 1 Medium vulnerabilities detected when using an automatic vulnerability-detection tool #29
Comments
Schneider-Electric-Carros
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Context where the vulnerabilities are detected
Steps to reproduce:
Create a Hello World application importing xeodou/go-sqlcipher
Build the application
Scan the result with Black Duck Binary Analysis
Expected behavior:
No vulnerablities should be reported.
Actual behavior:
1 High and 1 Medium vulnerabilities are detected.
More details on the vulnerabilities:
High (CVE-2021-3119)
Zetetic SQLCipher 4.x before 4.4.3 has a NULL pointer dereferencing issue related to sqlcipher_export in crypto.c and sqlite3StrICmp in sqlite3.c. This may allow an attacker to perform a remote denial of service attack. For example, an SQL injection can be used to execute the crafted SQL command sequence, which causes a segmentation fault.
Medium (CVE-2020-27207)
Zetetic SQLCipher 4.x before 4.4.1 has a use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in sqlite3.c. A remote denial of service attack can be performed. For example, a SQL injection can be used to execute the crafted SQL command sequence. After that, some unexpected RAM data is read.
Additional details
I know that you are not responsible, technically speaking,of the SQLCipher from Zetetic. I am just afraid that you are wrapping in Go, an outdated version of SQLCipher.
The text was updated successfully, but these errors were encountered: