Vulnerability in SQLite3.39.2 CVE-2024-0232

We are using following packages in our android application.

‘net.zetetic:android-database-sqlcipher:4.5.4@aar’
‘net.zetetic:android-database-sqlcipher:4.5.3@aar’
‘net.zetetic:android-database-sqlcipher:4.5.2@aar’

Does CVE-2024-0232 affect our application?

@shiva.hw - those releases include a version of SQLite that falls under the CVE. Your application would be affected if it meets either of these criteria:

  1. It executes arbitrary SQL or is susceptible to an injection attack from a potential attacker
  2. It uses the SQLite JSON API and processes arbitrary JSON content using those functions.

Our recommendation would be to upgrade to SQLCipher 4.5.6 which is based on SQLite 3.44.2. We are no longer releasing pre-built community edition packages of the legacy android-database-sqlcipher package, so if you are using community edition we recommend migrating to sqlcipher-android (integration instructions, github, migration guide).

If you are using a commercially licensed android-database-sqlcipher package you may contact us separately at support@zetetic.net to discuss further.