Our internal tool reported this vulnerability CVE-2023-0464 in openssl.
Does this vulnerabilities affect the zetetic library net.zetetic:android-database-sqlcipher???
If yes, could you explain the rationale?
and What is the fix plan?
Hi @shi.va,
Neither SQLCipher core, nor SQLCipher for Android are affected by CVE-2023-0464. SQLCipher does not use the X.509 features.
CVE-2023-0464 affects OpenSSL’s certificate policy processing, but it does not impact Zetetic’s SQLCipher for Android in normal usage. The net.zetetic:android-database-sqlcipher library relies on Android’s crypto stack and does not expose or invoke the vulnerable OpenSSL code paths directly. As a result, no library-side fix is required; remediation is handled via OS/OpenSSL updates rather than SQLCipher changes.
Hi @Carter,
As previously mentioned, neither SQLCipher or SQLCipher for Android are affected by CVE-2023-0464. While some builds of SQLCipher do use OpenSSL (including SQLCipher for Android), SQLCipher does not use X.509 features in OpenSSL.