{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-45346", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-04T04:39:20.536Z", "dateReserved": "2021-12-20T00:00:00", "datePublished": "2022-02-14T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-10-31T00:00:00"}, "descriptions": [{"lang": "en", "value": "A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect."}], "tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/guyinatuxedo/sqlite3_record_leaking"}, {"url": "https://security.netapp.com/advisory/ntap-20220303-0001/"}, {"url": "https://sqlite.org/forum/forumpost/53de8864ba114bf6"}, {"url": "https://www.sqlite.org/cves.html#status_of_recent_sqlite_cves"}, {"url": "https://sqlite.org/forum/forumpost/056d557c2f8c452ed5"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:39:20.536Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/guyinatuxedo/sqlite3_record_leaking", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20220303-0001/", "tags": ["x_transferred"]}, {"url": "https://sqlite.org/forum/forumpost/53de8864ba114bf6", "tags": ["x_transferred"]}, {"url": "https://www.sqlite.org/cves.html#status_of_recent_sqlite_cves", "tags": ["x_transferred"]}, {"url": "https://sqlite.org/forum/forumpost/056d557c2f8c452ed5", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sqlite:sqlite:3.35.1:*:*:*:*:*:*:*", "matchCriteriaId": "957B4E14-84C0-45C8-96C3-C78D17FB4DA5", "vulnerable": true}, {"criteria": "cpe:2.3:a:sqlite:sqlite:3.37.0:*:*:*:*:*:*:*", "matchCriteriaId": "3CB2AF7E-0D10-47B6-B2F1-751A599A3E96", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", "matchCriteriaId": "E7CF3019-975D-40BB-A8A4-894E62BD3797", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect."}, {"lang": "es", "value": "** EN DISPUTA ** Se presenta una vulnerabilidad de p\u00e9rdida de memoria en SQLite Project SQLite3 versiones 3.35.1 y 3.37.0 por medio de consultas SQL dise\u00f1adas de forma maliciosa (realizadas por medio de la edici\u00f3n del archivo de la base de datos), es posible consultar un registro, y filtrar los bytes de memoria subsiguientes que son extendidos m\u00e1s all\u00e1 del registro, lo que podr\u00eda permitir a un usuario malicioso obtener informaci\u00f3n confidencial. NOTA: El desarrollador disputa esto como una vulnerabilidad afirmando que si le das a SQLite un archivo de base de datos corrupto y env\u00edas una consulta contra la base de datos, podr\u00eda leer partes de la base de datos que no pretend\u00edas o esperabas"}], "id": "CVE-2021-45346", "lastModified": "2024-08-04T05:15:42.307", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-14T19:15:07.793", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/guyinatuxedo/sqlite3_record_leaking"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220303-0001/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://sqlite.org/forum/forumpost/056d557c2f8c452ed5"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://sqlite.org/forum/forumpost/53de8864ba114bf6"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.sqlite.org/cves.html#status_of_recent_sqlite_cves"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "sqlite: crafted SQL query allows a malicious user to obtain sensitive information", "id": "2054793", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2054793"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-401->CWE-200", "details": ["A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.", "A memory leak flaw was found in the SQLite Project via maliciously crafted SQL Queries (made via editing the Database File). This flaw allows a malicious user to obtain sensitive information due to a possible query to a record and leaking subsequent bytes of memory that extend beyond the record."], "name": "CVE-2021-45346", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "sqlite", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "sqlite", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "mingw-sqlite", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "sqlite", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "sqlite", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-03-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-45346\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-45346\nhttps://security.netapp.com/advisory/ntap-20220303-0001/"], "threat_severity": "Low"}