A security vulnerability in SQLite was recently discovered that could allow an attacker to remotely execute code, depending on the implementation.
There is a low risk that some Ionic applications could be affected by this vulnerability.
What platform(s) are affected?
iOS: No Risk
iOS applications are unaffected by this vulnerability.
Android: Low Risk
The majority of Android applications will NOT be affected by this vulnerability. See below for details.
Is my application at risk?
The vulnerability may be present in your application only if all of the following are true:
- If you are making use of a plugin that uses SQLite for storage purposes, such as cordova-sqlite-storage
- If your SQLite implementation does one or more of the following (a number of articles and blogs have posted more specifics online, including this one from CommonsWare):
- Executes arbitrary SQL from arbitrary sources
- Opens arbitrary databases
- Uses a webview to view arbitrary content
What can I do?
If your application fits the criteria above, there are two actions you can take:
- Update your SQLite plugin to the latest version
- Please check the associated plugin repositories to ensure your plugin has been updated to address the vulnerability
- Note that upgrading your plugin may include breaking changes to your application that will require extra steps, including (but not limited to) code changes or a new app store release
- Evaluate your SQLite implementation to ensure it is not performing the actions outlined above
For the vast majority of customers, updating your SQLite plugin will address the vulnerability.