Out-of-bounds read in SQLite



Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2023-7104
CWE-ID CWE-125
Exploitation vector Network
Public exploit N/A
Vulnerable software
 SQLite
Server applications / Database software

Vendor SQLite

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Out-of-bounds read

EUVDB-ID: #VU84985

Risk: Medium

CVSSv4.0: 5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-7104

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the sessionReadRecord() function in ext/session/sqlite3session.c when processing a corrupt changeset. A remote user can send a specially crafted request to trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SQLite: 3.0.0 - 3.43.0

CPE2.3 External links

https://vuldb.com/?id.248999
https://vuldb.com/?ctiid.248999
https://sqlite.org/forum/forumpost/5bcbf4571c
https://sqlite.org/src/info/0e4e7a05c4204b47


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###