modernc.org/sqlite-v1.21.0: 1 vulnerabilities (highest severity is: 5.5) - autoclosed

[dhiaayachi]

Vulnerable Library - modernc.org/sqlite-v1.21.0

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (modernc.org/sqlite-v1.21.0 version)	Remediation Available
CVE-2020-28928	Medium	5.5	modernc.org/libc-v1.22.3	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2020-28928

Vulnerable Library - modernc.org/libc-v1.22.3

Library home page: https://proxy.golang.org/modernc.org/libc/@v/v1.22.3.zip

Dependency Hierarchy:

• modernc.org/sqlite-v1.21.0 (Root Library)
  • ❌ modernc.org/libc-v1.22.3 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).

Publish Date: 2020-11-24

URL: CVE-2020-28928

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28928

Release Date: 2020-11-24

Fix Resolution: musl - 1.2.2-1,1.2.2-1,1.1.16-3+deb9u1

[dhiaayachi]

Thank you for reporting this vulnerability.

The vulnerability you have reported (CVE-2020-28928) affects the modernc.org/libc library, which is a transitive dependency of modernc.org/sqlite-v1.21.0. Unfortunately, there is no version of modernc.org/sqlite that includes a fix for this vulnerability.

The suggested fix is to upgrade musl to version 1.2.2-1, 1.2.2-1, or 1.1.16-3+deb9u1. However, this may require changes to your project's build configuration.

Please let me know if you have any further questions.

[dhiaayachi]

This vulnerability affects the modernc.org/libc library, which is a transitive dependency of your Temporal project. As mentioned in the details section, the vulnerability is fixed in musl version 1.2.2-1, 1.2.2-1, and 1.1.16-3+deb9u1.

Unfortunately, there isn't a version of modernc.org/sqlite that includes a fixed version of modernc.org/libc. Therefore, you'll need to consider alternative solutions to mitigate this vulnerability:

• Upgrade Temporal to a version that uses a patched modernc.org/libc library: If possible, check if a newer Temporal version includes a fixed version of modernc.org/libc.
• Manually patch the modernc.org/libc library: This requires advanced knowledge of the library and potential risks.
• Use a different SQLite library: If your project allows it, consider using an alternative SQLite library that doesn't depend on modernc.org/libc.
• Restrict access to the vulnerable component: If you can isolate the use of the vulnerable component to a specific part of your project, you can restrict access to this component to mitigate the risk.

Please note that these solutions have their own trade-offs and may require further investigation and implementation. You should consult the Temporal documentation and potentially contact their support for guidance on the most appropriate solution for your project.