Our scan tool reports vulnerabilities BDSA-2023-3046 in openssl 1.1.1q used by SQLCipher.
Does these vulnerabilities affect the library net.zetetic:android-database-sqlcipher?
Thanks,
Shiva G P
Hi @shiva.hw,
Thank you for reaching out regarding SQLCipher. Unfortunately, I was unable to locate a public reference to BDSA-2023-3046. Is that something you can provide, or is there a corresponding public CVE that has been issued? Additionally, can you clarify whether your organization is utilizing a Community/Commercial/Enterprise build of SQLCipher for Android?
Hi @developernotes , Thanks for your quick response. I’m are using following dependency in my app
“net.zetetic:android-database-sqlcipher:4.5.4@aar”
@shiva.hw - android-database-sqlcipher is now deprecated. You should consider migrating over to use the replacement, sqlcipher-android with OpenSSL 3.0.10. Barring that we would need to know what the CVE identifier is to say whether SQLCipher would be impacted. However, SQLCipher is not affected by any of the published CVEs on the OpenSSL project.