Vulnerability in SQLite3.39.2 CVE-2024-0232

shiva.hw · January 31, 2024, 3:04am

We are using following packages in our android application.

‘net.zetetic:android-database-sqlcipher:4.5.4@aar’
‘net.zetetic:android-database-sqlcipher:4.5.3@aar’
‘net.zetetic:android-database-sqlcipher:4.5.2@aar’

Does CVE-2024-0232 affect our application?

sjlombardo · January 31, 2024, 2:39pm

@shiva.hw - those releases include a version of SQLite that falls under the CVE. Your application would be affected if it meets either of these criteria:

It executes arbitrary SQL or is susceptible to an injection attack from a potential attacker
It uses the SQLite JSON API and processes arbitrary JSON content using those functions.

Our recommendation would be to upgrade to SQLCipher 4.5.6 which is based on SQLite 3.44.2. We are no longer releasing pre-built community edition packages of the legacy android-database-sqlcipher package, so if you are using community edition we recommend migrating to sqlcipher-android (integration instructions, github, migration guide).

If you are using a commercially licensed android-database-sqlcipher package you may contact us separately at support@zetetic.net to discuss further.

Topic		Replies	Views
New vulnerability detected CVE-2024-0232 Issues	1	120	January 30, 2024
New vulnerabilities detected in library OpenSSL version 1.1.1q SQLCipher	3	228	November 12, 2023
Updated Version of SQLcipher SQLCipher	2	86	March 26, 2024
Use of Outdated Vulnerable Component SQLCipher	2	295	July 28, 2023
RTree security issue SQLCipher	4	781	January 12, 2018

Vulnerability in SQLite3.39.2 CVE-2024-0232

Related Topics