#VU23188 Division by zero


Published: 2019-12-02 | Updated: 2021-06-20

Vulnerability identifier: #VU23188

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-16168

CWE-ID: CWE-369

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
SQLite
Server applications / Database software

Vendor: SQLite

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a division by zero error within the whereLoopAddBtreeIndex in sqlite3.c due to improper input validation in the sqlite_stat1 sz field. A remote attacker can pass specially crafted data to the application, trigger division by zero error and crash the vulnerable application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SQLite: 3.20.0 - 3.29.0


CPE

External links
http://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html
http://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62
http://www.sqlite.org/src/timeline?c=98357d8c1263920b


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability