Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2019-20218 |
CWE-ID | CWE-401 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
SUSE Linux Enterprise Point of Sale Operating systems & Components / Operating system SUSE Linux Enterprise Debuginfo Operating systems & Components / Operating system SUSE Linux Enterprise Server Operating systems & Components / Operating system sqlite3-debuginfo Operating systems & Components / Operating system package or component libsqlite3-0-32bit Operating systems & Components / Operating system package or component sqlite3 Operating systems & Components / Operating system package or component libsqlite3-0 Operating systems & Components / Operating system package or component |
Vendor | SUSE |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU24065
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-20218
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due memory leak within the selectExpander() function in select.c in SQLite, caused by incorrect exception handling, related to stack unwinding. A remote attacker can trigger with ability to modify the WITH SQL query can gain access to potentially sensitive information.
Update the affected package sqlite3 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Point of Sale: 11-SP3
SUSE Linux Enterprise Debuginfo: 11-SP4
SUSE Linux Enterprise Server: 11-SP4-LTSS
sqlite3-debuginfo: before 3.7.6.3-1.4.7.15.1
libsqlite3-0-32bit: before 3.7.6.3-1.4.7.15.1
sqlite3: before 3.7.6.3-1.4.7.15.1
libsqlite3-0: before 3.7.6.3-1.4.7.15.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-202114771-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.