WebView2 : Version of SQLite & Zlib dependencies

[shuklakashish]

How could I find the version of WebView2 component's dependencies e.g - SQLite and Zlib.

Black duck scan is reporting vulnerabilities against - MicrosoftEdgeWebView2RuntimeInstallerX64 v
1.3.151.27 which includes following -

(1) SQLite v 3.23.2 - Older version of SQLite - 7 High, 29 Medium and 2 low vulnerabilities.

(2) zlib v 1.2.11 - Older version of zlib - following 1 High and 1 Medium vulnerabilities

1 High - BDSA-2018-5271 (CVE-2018-25032)
1 Medium - BDSA-2022-2183 (CVE-2022-37434)

I tried downloading the latest MicrosoftEdgeWebView2RuntimeInstallerX64 that is version 1.3.177.11 , even this seems to have these older version of SQLite & Zlip, as black duck scan reports same issue.

(1) I want to confirm exact versions of SQLite and Zlib used with latest version of WebView2RuntimeInstallerx64.
(2) Also where I can I find the upgrade plans for these dependencies (if any) or request for the same to address these vulnerabilities?

Thanks

[victorhuangwq]

@oggy22 Do you have any insights into this?

[shuklakashish]

Hi @victorhuangwq , thanks for prompt response; I don't see any reply from @oggy22. Any other input or suggestions regarding any of the above mentioned aspects/queries will be very helpful.

@oggy22 , your reply is awaited; kindly respond.

Thanks
Kashish

[shuklakashish]

@victorhuangwq , @oggy22 ,
Please suggest if you have any other inputs; also let me know if it's okay to go ahead and create an issue from this discussion?

Thanks
Kashish

[victorhuangwq]

Hi, seems like @LiangTheDev would know better about this. @LiangTheDev can I get your help on this?

[LiangTheDev]

This should be the same as #2501.

[LiangTheDev]

@shuklakashish could you please be specific about the issue with latest 1.3.177.11 version? What specific issues are reported for this version for sqlite and zlib. We are aware of the zlib issue and it has been addressed internally and will be rollout soon. For sqlite, which version and what vulnerability is reported?
The older versions are not patched and applications should update to latest version.

For detecting dependencies, it is a complicated steps to figure things out and track. The best approach would be the report detected issues here and we will address them.

[shuklakashish]

Hi @LiangTheDev ,

Thanks for your response.

#2501 is talking about MicrosoftEdgeWebView2RuntimeInstallerX86.exe whereas we are using MicrosoftEdgeWebView2RuntimeInstallerX64.exe so probably it's different.

Please confirm the version of SQLite and Zlib dependencies used with latest 1.3.177.11; black duck scan reports following version being used with latest webview2 (v1.3.177.11) -

• SQLite v 3.23.2

• Zlib v 1.2.11

The black duck scan reports following vulnerabilities with latest 1.3.177.11 version -

The black duck scan reports following vulnerabilities against the zlib v 1.2.11

• 1 High - BDSA-2018-5271 (GHSA-jc36-42cf-vqwj)

• 1 Medium - BDSA-2022-2183 (GHSA-cfmr-vrgj-vqwv)

The black duck scan reports following vulnerabilities against the sqlite v 3.23.2

High vulnerabilities
(1) BDSA-2022-3544 : 8.5 High
(2) BDSA-2018-4423 (CVE-2018-20346) : 8.1 High
(3) BDSA-2019-2110 : 7.7 High
(4) BDSA-2019-2132 : 7.6 High
(5) CVE-2020-11655 : 7.5 High
(6) BDSA-2019-0950 (CVE-2018-20506) : 7.3 High
(7) BDSA-2019-4053 : 7.1 High
(8) BDSA-2019-4055 : 7.1 High

Medium vulnerabilities
(1) BDSA-2019-1472 : 6.7 Medium
(2) BDSA-2020-1222 (CVE-2020-13434) : 6.7 Medium
(3) BDSA-2021-2585 : 6.7 Medium
(4) BDSA-2019-2900(CVE-2019-16168) : 6.7 Medium
(5) BDSA-2020-0327 : 6.7 Medium
(6) BDSA-2020-1221 (CVE-2020-13435): 6.7 Medium
(7) BDSA-2020-1330 : 6.7 Medium
(8) BDSA-2020-4790 : 6.5 Medium
(9) BDSA-2019-4054 : 6.5 Medium
(10) BDSA-2019-3706 : 6.5 Medium
(11) BDSA-2020-1247(CVE-2020-13631) : 6.5 Medium
(12) BDSA-2020-1248(CVE-2020-13632) : 6.5 Medium
(13) BDSA-2019-3712 : 6.5 Medium
(14) BDSA-2019-3907 (CVE-2019-19645) : 6.5 Medium
(15) BDSA-2020-1246 (CVE-2020-13630) : 6.5 Medium
(16) BDSA-2019-2131 : 5.9 Medium
(17) BDSA-2022-2151 (CVE-2022-35737) : 5.9 Medium
(18) CVE-2020-15358 : 5.5 Medium
(19) BDSA-2019-2130 : 5.5 Medium
(20) BDSA-2020-0687 (CVE-2020-11656) : 5.3 Medium
(21) BDSA-2019-0964 (CVE-2018-20505) : 5.3 Medium
(22) BDSA-2019-0813 : 4.8 Medium
(23) BDSA-2019-0814 : 4.8 Medium
(24) BDSA-2019-4134 : 4.6 Medium
(25) BDSA-2019-1682 (CVE-2019-8457) : 4.6 Medium
(26) BDSA-2019-3909 : 4.6 Medium
(27) BDSA-2019-3970 : 4.6 Medium
(28) BDSA-2019-3846 : 4.6 Medium
(29) BDSA-2019-4083 : 4.6 Medium
(30) BDSA-2019-3879 (CVE-2019-19646) : 4.6 Medium

Low vulnerabilties
(1) BDSA-2021-4854 : 3.9 Low
(2) BDSA-2018-4629 : 3 Low

Thanks

[LiangTheDev]

@shuklakashish the version of sqlite is unexpected. Will investigate.

[shuklakashish]

Hi @LiangTheDev ,
Did you get a chance to look into this? Any updates for us? Kindly share your finding. Thanks.

[LiangTheDev]

I've reached out to the related Edge team and they are looking into it. The goal is to fix the issue in future versions. I'll update when there is something to share.

[shuklakashish]

Thanks @LiangTheDev !! Yes, we're on the same page regarding the goal, we definitely want to fix it in future versions.
Sure, I'll wait for you update. I was mainly checking for the information regarding SQLite and zlib versions that are used with latest WebView2 version - 1.3.177.11. Thanks.

[LiangTheDev]

The zlib version is v 1.2.11 and we already have a fix that update it to 1.3. For sqlite, if the tool reports it as 3.23.2, it should be that version. However, that is unexpected and we still don't know what's going on and will make sure that it is not that very old version.

[shuklakashish]

Thank you !!