Hi
Our scan tool reports vulnerabilities CVE-2023-3446,CVE-2024-2511,CVE-2024-4741,CVE-2024-5535 in openssl 1.1.1s used by sqlcipher
Does these vulnerabilities affect net. zetetic:android-database-sqlcipher ?
Thanks
Hi @chen_song,
SQLCipher is not affected by CVE-2023-3446, CVE-2024-2511, or CVE-2024-5535 as it does not utilize Diffie–Hellman key exchange, nor TLS. I do not see any information currently available for CVE-2024-4741 [1] [2].
Hi @developernotes, thank you for your reply.
Detail about vunerability CVE-2024-4741 can be referenced from here:
https://www.openssl.org/news/vulnerabilities.html
@chen_song - SQLCipher is not affected by CVE-2024-4741 as it does not use SSL_free_buffers.
Hi @developernotes,
Thanks for the previous clarification regarding CVE-2023-3446, CVE-2024-2511, CVE-2024-4741, and CVE-2024-5535 not affecting net.zetetic:android-database-sqlcipher due to the absence of TLS, Diffie–Hellman, and SSL_free_buffers.
Could you please confirm if this is still the case for net.zetetic:sqlcipher-android (e.g. 4.6.1 or newer)?
We’d just like to confirm that no recent updates have introduced any new dependencies or usage of OpenSSL components that could potentially be affected by these CVEs.
Thanks a lot for your work !
Hi @Cap_KM,
Those CVE’s do not apply to sqlcipher-android either.
1 Like