{"id":"CVE-2022-46908","details":"SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.","aliases":["BIT-sqlite-2022-46908"],"modified":"2026-04-16T04:39:05.434809949Z","published":"2022-12-12T06:15:10.793Z","related":["CGA-x4gm-3r9h-v9h4","SUSE-SU-2022:4603-1","SUSE-SU-2022:4628-1","SUSE-SU-2023:1295-1","SUSE-SU-2023:2668-1","openSUSE-SU-2024:12574-1"],"references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202311-03"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230203-0005/"},{"type":"REPORT","url":"https://news.ycombinator.com/item?id=33948588"},{"type":"REPORT","url":"https://sqlite.org/forum/forumpost/07beac8056151b2f"},{"type":"FIX","url":"https://sqlite.org/src/info/cefc032473ac5ad2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sqlite/sqlite","events":[{"introduced":"315e3122c37b2dbe0fb7b3a4c3b9b6961e3bda96"},{"fixed":"1fdaa9d1a79b05503ee5243e360b9b5dea0ff25c"}],"database_specific":{"versions":[{"introduced":"3.37.0"},{"fixed":"3.40.1"}]}}],"versions":["version-3.37.0","version-3.38.0","version-3.39.0","version-3.40.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-46908.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"}]}