CVE-2022-43441
Published: 16 March 2023
Summary
CVE-2022-43441 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Ghost Sqlite3. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution when malicious input is processed by the affected component.
An attacker can exploit this issue over the network without requiring authentication or user interaction, albeit with high attack complexity, to achieve arbitrary code execution with impacts to confidentiality, integrity, and availability.
Advisories detailing the vulnerability are available from the GitHub security advisory GHSA-jqv5-7xpx-qj74 and Talos Intelligence report TALOS-2022-1645. The current exploitation probability remains low at approximately 0.07 with no significant increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1051
Vulnerability details
A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring explicit authorization and ongoing control of mobile code implements proper management of dynamically loaded code resources.