CVE-2022-46908 is a high-severity vulnerability affecting SQLite versions up to 3.40.0. The issue arises when SQLite is used with the --safe option to execute untrusted command-line interface (CLI) scripts. The --safe mode is intended to restrict the execution of potentially dangerous user-defined functions (UDFs) by implementing a protection mechanism called azProhibitedFunctions. However, due to improper implementation, this protection mechanism fails to block certain UDFs such as WRITEFILE. This failure allows an attacker with limited privileges (local access with low privileges) to invoke functions that can write arbitrary files to the filesystem. The vulnerability has a CVSS 3.1 base score of 7.3, indicating high severity, with an attack vector of local access (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H) with low impact on availability (A:L). Exploiting this vulnerability could lead to unauthorized file creation or modification, potentially enabling privilege escalation, persistence, or further compromise of the host system. No known exploits in the wild have been reported as of the publication date. The vulnerability is relevant for any environment using SQLite in a context where untrusted CLI scripts are executed with --safe mode enabled, which is a niche but critical use case in embedded systems, development tools, or custom applications relying on SQLite scripting capabilities.

For European organizations, the impact of CVE-2022-46908 depends largely on the extent to which SQLite is used in environments that execute untrusted CLI scripts with --safe mode enabled. SQLite is widely used across industries due to its lightweight and embedded nature, including in IoT devices, mobile applications, and desktop software. Organizations in sectors such as manufacturing, healthcare, finance, and critical infrastructure that rely on embedded systems or custom tooling incorporating SQLite could be at risk. Successful exploitation could allow attackers to write arbitrary files, potentially leading to unauthorized code execution, data manipulation, or persistence mechanisms. This could compromise confidentiality and integrity of sensitive data, disrupt operations, or facilitate lateral movement within networks. Given the local attack vector and requirement for low privileges, insider threats or attackers who have gained limited access could leverage this vulnerability to escalate privileges or implant malware. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed. European organizations with stringent data protection regulations (e.g., GDPR) must consider the risk of data breaches or integrity violations resulting from this vulnerability.

To mitigate CVE-2022-46908, organizations should: 1) Update SQLite to a version later than 3.40.0 where this vulnerability is patched; monitor official SQLite release notes for the fixed version. 2) Avoid executing untrusted CLI scripts with the --safe option enabled until patched, or implement strict input validation and sandboxing around such executions. 3) Restrict local access to systems running SQLite with scripting capabilities, enforcing least privilege and strong access controls to prevent unauthorized local execution. 4) Employ application whitelisting and integrity monitoring to detect unauthorized file writes or modifications that could result from exploitation. 5) Conduct code reviews and security testing on custom applications or tools that embed SQLite and use scripting features to ensure no unsafe usage patterns exist. 6) Monitor logs and system behavior for suspicious activity related to file creation or modification by SQLite processes. 7) Educate developers and system administrators about the risks of enabling scripting features with untrusted inputs in SQLite and promote secure coding practices.