Input validation error in SQLite

#VU23792 Input validation error in SQLite

Published: 2019-12-23 | Updated: 2020-01-22

Vulnerability identifier: #VU23792

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-19646

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
SQLite
Server applications / Database software

Vendor: SQLite

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of NOT NULL in an integrity_check PRAGMA command in pragma.c when generating certain columns. A remote attacker can perform a denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SQLite: 3.8.6 - 3.30.1

Fixed software versions

CPE

cpe:2.3:a:sqlite:sqlite:3.30.0:*:*:*:*:*:*:*

External links
http://github.com/sqlite/sqlite/commit/926f796e8feec15f3836aa0a060ed906f8ae04d3
http://github.com/sqlite/sqlite/commit/ebd70eedd5d6e6a890a670b5ee874a5eae86b4dd

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell Unity, Dell UnityVSA, and Dell Unity XT

Multiple vulnerabilities in Dell EMC VxRail Appliance

Multiple vulnerabilities in Dell EMC Data Protection Search

Multiple vulnerabilities in Dell EMC Integrated Data Protection Appliance

Multiple vulnerabilities in Siemens SINEC INS

SUSE update for sqlite3

Multiple vulnerabilities in Tenable.sc

SUSE update for sqlite3

Multiple vulnerabilities in MySQL Workbench

Multiple vulnerabilities in SQLite