sqlite3-5.0.11.tgz: 6 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - sqlite3-5.0.11.tgz

Asynchronous, non-blocking SQLite3 bindings

Library home page: https://registry.npmjs.org/sqlite3/-/sqlite3-5.0.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/sqlite3/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (sqlite3 version)	Remediation Possible**
CVE-2023-42282	Critical	9.8	ip-2.0.0.tgz	Transitive	N/A*	❌
CVE-2024-29415	Critical	9.1	ip-2.0.0.tgz	Transitive	N/A*	❌
CVE-2022-43441	High	8.1	sqlite3-5.0.11.tgz	Direct	5.1.5	✅
CVE-2024-28863	Medium	6.5	tar-6.1.11.tgz	Transitive	N/A*	❌
CVE-2022-25883	Medium	5.3	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-25881	Medium	5.3	http-cache-semantics-4.1.0.tgz	Transitive	5.1.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-42282

Vulnerable Library - ip-2.0.0.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ip/package.json

Dependency Hierarchy:

• sqlite3-5.0.11.tgz (Root Library)
  • node-gyp-8.4.1.tgz
    • make-fetch-happen-9.1.0.tgz
      • socks-proxy-agent-6.2.1.tgz
        • socks-2.7.0.tgz
          • ❌ ip-2.0.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-78xj-cgh5-2h22

Release Date: 2024-02-08

Fix Resolution: ip - 1.1.9,2.0.1

CVE-2024-29415

Vulnerable Library - ip-2.0.0.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ip/package.json

Dependency Hierarchy:

• sqlite3-5.0.11.tgz (Root Library)
  • node-gyp-8.4.1.tgz
    • make-fetch-happen-9.1.0.tgz
      • socks-proxy-agent-6.2.1.tgz
        • socks-2.7.0.tgz
          • ❌ ip-2.0.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

Publish Date: 2024-05-27

URL: CVE-2024-29415

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2022-43441

Vulnerable Library - sqlite3-5.0.11.tgz

Asynchronous, non-blocking SQLite3 bindings

Library home page: https://registry.npmjs.org/sqlite3/-/sqlite3-5.0.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/sqlite3/package.json

Dependency Hierarchy:

• ❌ sqlite3-5.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.

Publish Date: 2023-03-16

URL: CVE-2022-43441

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jqv5-7xpx-qj74

Release Date: 2023-03-16

Fix Resolution: 5.1.5

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-28863

Vulnerable Library - tar-6.1.11.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tar/package.json

Dependency Hierarchy:

• sqlite3-5.0.11.tgz (Root Library)
  • ❌ tar-6.1.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Publish Date: 2024-03-21

URL: CVE-2024-28863

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f5x3-32g6-xq36

Release Date: 2024-03-21

Fix Resolution: tar - 6.2.1

CVE-2022-25883

Vulnerable Libraries - semver-6.3.0.tgz, semver-7.3.7.tgz

semver-6.3.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/make-dir/node_modules/semver/package.json

Dependency Hierarchy:

• sqlite3-5.0.11.tgz (Root Library)
  • node-pre-gyp-1.0.9.tgz
    • make-dir-3.1.0.tgz
      • ❌ semver-6.3.0.tgz (Vulnerable Library)

semver-7.3.7.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-7.3.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@npmcli/fs/node_modules/semver/package.json,/node_modules/@mapbox/node-pre-gyp/node_modules/semver/package.json,/node_modules/node-gyp/node_modules/semver/package.json

Dependency Hierarchy:

• sqlite3-5.0.11.tgz (Root Library)
  • node-gyp-8.4.1.tgz
    • ❌ semver-7.3.7.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2

CVE-2022-25881

Vulnerable Library - http-cache-semantics-4.1.0.tgz

Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies

Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/http-cache-semantics/package.json

Dependency Hierarchy:

• sqlite3-5.0.11.tgz (Root Library)
  • node-gyp-8.4.1.tgz
    • make-fetch-happen-9.1.0.tgz
      • ❌ http-cache-semantics-4.1.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Publish Date: 2023-01-31

URL: CVE-2022-25881

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rc47-6667-2j5j

Release Date: 2023-01-31

Fix Resolution (http-cache-semantics): 4.1.1

Direct dependency fix Resolution (sqlite3): 5.1.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.