#VU23794 Untrusted Pointer Dereference in SQLite


Published: 2019-12-23 | Updated: 2020-01-22

Vulnerability identifier: #VU23794

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2019-19880

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
SQLite
Server applications / Database software

Vendor: SQLite

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to invalid pointer dereference in exprListAppendList() function in window.c when processing constant integer values in ORDER BY clauses. A remote attacker with ability to interact with a query can execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SQLite: 3.25.0 - 3.30.1

Fixed software versions

CPE

External links
http://github.com/sqlite/sqlite/commit/75e95e1fcd52d3ec8282edb75ac8cd0814095d54

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell Unity, Dell UnityVSA, and Dell Unity XT
Multiple vulnerabilities in Autodesk InfraWorks
Multiple vulnerabilities in Dell EMC VxRail Appliance
Multiple vulnerabilities in Dell EMC Data Protection Search
Multiple vulnerabilities in Dell EMC Integrated Data Protection Appliance
Multiple vulnerabilities in Siemens SINEC INS
SUSE update for sqlite3
SUSE update for sqlite3
Debian update for chromium
OpenSUSE Linux update for chromium, re2