New vulnerabilities in openssl

chen_song · July 3, 2024, 11:40pm

Hi
Our scan tool reports vulnerabilities CVE-2023-3446,CVE-2024-2511,CVE-2024-4741,CVE-2024-5535 in openssl 1.1.1s used by sqlcipher
Does these vulnerabilities affect net. zetetic:android-database-sqlcipher ?

Thanks

developernotes · July 5, 2024, 1:46pm

Hi @chen_song,

SQLCipher is not affected by CVE-2023-3446, CVE-2024-2511, or CVE-2024-5535 as it does not utilize Diffie–Hellman key exchange, nor TLS. I do not see any information currently available for CVE-2024-4741 ^[1] ^[2].

chen_song · July 6, 2024, 1:50am

Hi @developernotes, thank you for your reply.
Detail about vunerability CVE-2024-4741 can be referenced from here:
https://www.openssl.org/news/vulnerabilities.html

sjlombardo · July 8, 2024, 1:52pm

@chen_song - SQLCipher is not affected by CVE-2024-4741 as it does not use SSL_free_buffers.

Topic		Replies	Views
New vulnerabilities detected in openssl SQLCipher	1	390	August 3, 2023
New vulnerabilities CVE-2023-0465 and CVE-2023-0466 in openssl SQLCipher	1	469	May 2, 2023
Our internal tool reported CVE-2023-0464 vulnerability in openssl SQLCipher	1	379	March 31, 2023
Use of 'net.zetetic:android-database-sqlcipher:4.5.1@aar' give OpenSSL 1.1.1m vulnerability SQLCipher	3	411	June 1, 2022
New vulnerability CVE-2023-5678 in openssl SQLCipher	1	218	November 9, 2023

New vulnerabilities in openssl

Related Topics