Bitnami package
sqlite
pkg:bitnami/sqlite
Vulnerabilities (26)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-70873 | Hig | 7.5 | < 3.51.1 | 3.51.1 | Mar 12, 2026 | An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file. | |
| CVE-2025-7458 | — | >= 3.39.2, < 3.41.2 | 3.41.2 | Jul 29, 2025 | An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT | ||
| CVE-2025-6965 | Cri | 9.8 | >= 0 | — | Jul 15, 2025 | There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above. | |
| CVE-2025-3277 | — | >= 0 | — | Apr 14, 2025 | An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of | ||
| CVE-2025-29088 | — | >= 3.49.0 | — | Apr 10, 2025 | In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect. | ||
| CVE-2025-29087 | — | >= 0 | — | Apr 7, 2025 | In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calcu | ||
| CVE-2024-0232 | — | >= 3.43.0 | — | Jan 16, 2024 | A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial | ||
| CVE-2023-7104 | — | < 3.43.1 | 3.43.1 | Dec 25, 2023 | A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recom | ||
| CVE-2021-31239 | — | >= 3.35.4, < 3.35.5 | 3.35.5 | May 9, 2023 | An issue found in SQLite SQLite3 v.3.35.4 that allows a remote attacker to cause a denial of service via the appendvfs.c function. | ||
| CVE-2022-46908 | — | >= 3.37.0, < 3.40.1 | 3.40.1 | Dec 12, 2022 | SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE. | ||
| CVE-2020-35527 | — | >= 3.31.1, < 3.31.2 | 3.31.2 | Sep 1, 2022 | In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE for views that have a nested FROM clause. | ||
| CVE-2020-35525 | — | >= 3.31.1, < 3.31.2 | 3.31.2 | Sep 1, 2022 | In SQlite 3.31.1, a potential null pointer derreference was found in the INTERSEC query processing. | ||
| CVE-2022-35737 | — | >= 1.0.12, < 3.39.2 | 3.39.2 | Aug 3, 2022 | SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API. | ||
| CVE-2021-45346 | — | >= 3.35.1, < 3.35.2 | 3.35.2 | Feb 14, 2022 | A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a maliciou | ||
| CVE-2021-36690 | — | >= 3.36.0, < 3.36.1 | 3.36.1 | Aug 24, 2021 | A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is in | ||
| CVE-2021-20227 | — | >= 3.33.0, < 3.34.1 | 3.34.1 | Mar 23, 2021 | A flaw was found in SQLite's SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat fro | ||
| CVE-2020-15358 | — | < 3.32.3 | 3.32.3 | Jun 27, 2020 | In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation. | ||
| CVE-2020-13871 | — | >= 3.32.2, < 3.32.3 | 3.32.3 | Jun 6, 2020 | SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late. | ||
| CVE-2020-13630 | — | < 3.32.0 | 3.32.0 | May 27, 2020 | ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature. | ||
| CVE-2020-13631 | — | < 3.32.0 | 3.32.0 | May 27, 2020 | SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c. |
- affected < 3.51.1fixed 3.51.1
An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.
- CVE-2025-7458Jul 29, 2025affected >= 3.39.2, < 3.41.2fixed 3.41.2
An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT
- affected >= 0
There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.
- CVE-2025-3277Apr 14, 2025affected >= 0
An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of
- CVE-2025-29088Apr 10, 2025affected >= 3.49.0
In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect.
- CVE-2025-29087Apr 7, 2025affected >= 0
In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calcu
- CVE-2024-0232Jan 16, 2024affected >= 3.43.0
A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial
- CVE-2023-7104Dec 25, 2023affected < 3.43.1fixed 3.43.1
A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recom
- CVE-2021-31239May 9, 2023affected >= 3.35.4, < 3.35.5fixed 3.35.5
An issue found in SQLite SQLite3 v.3.35.4 that allows a remote attacker to cause a denial of service via the appendvfs.c function.
- CVE-2022-46908Dec 12, 2022affected >= 3.37.0, < 3.40.1fixed 3.40.1
SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.
- CVE-2020-35527Sep 1, 2022affected >= 3.31.1, < 3.31.2fixed 3.31.2
In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE for views that have a nested FROM clause.
- CVE-2020-35525Sep 1, 2022affected >= 3.31.1, < 3.31.2fixed 3.31.2
In SQlite 3.31.1, a potential null pointer derreference was found in the INTERSEC query processing.
- CVE-2022-35737Aug 3, 2022affected >= 1.0.12, < 3.39.2fixed 3.39.2
SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.
- CVE-2021-45346Feb 14, 2022affected >= 3.35.1, < 3.35.2fixed 3.35.2
A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a maliciou
- CVE-2021-36690Aug 24, 2021affected >= 3.36.0, < 3.36.1fixed 3.36.1
A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is in
- CVE-2021-20227Mar 23, 2021affected >= 3.33.0, < 3.34.1fixed 3.34.1
A flaw was found in SQLite's SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat fro
- CVE-2020-15358Jun 27, 2020affected < 3.32.3fixed 3.32.3
In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.
- CVE-2020-13871Jun 6, 2020affected >= 3.32.2, < 3.32.3fixed 3.32.3
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
- CVE-2020-13630May 27, 2020affected < 3.32.0fixed 3.32.0
ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
- CVE-2020-13631May 27, 2020affected < 3.32.0fixed 3.32.0
SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
Page 1 of 2