Cisco Talos recently discovered a vulnerability in node-sqlite3 that affects the Ghost content management system and could affect other software utilizing this library.
Ghost is a content management system with tools to build a website, publish content and send newsletters.
The node-sqlite3 library provides asynchronous, non-blocking SQLite3 bindings for Node.js. Ghost maintains the node-sqlite3 library and uses it in its CMS platform.
Talos identified a remote code execution vulnerability if an attacker sends the target a specially crafted JSON object. TALOS-2022-1645 (CVE-2022-43441) exists in the node-sqlite3 module, which provides asynchronous, non-blocking SQLite3 bindings for Node.js and could affect applications using the module.
Due to JSON format limitations, the vulnerability only manifests itself as a remote denial of service in Ghost CMS, which crashes the Node.js process. However, the vulnerability could potentially lead to remote code execution in other products that use it.
Cisco Talos worked with Ghost to ensure that this issue is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.
Users are encouraged to update this affected product as soon as possible: Ghost Foundation node-sqlite3 5.1.1. Talos tested and confirmed this version of node-sqlite3 could be exploited by these vulnerabilities.
The following Snort rules will detect exploitation attempts against these vulnerabilities: 60946. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.