CVE-2019-8457

HIGH

Description

SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.

References

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00074.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/OPKYSWCOM3CL66RI76TYVIG6TJ263RXH/

https://lists.fedoraproject.org/archives/list/[email protected]/message/SJPFGA45DI4F5MCF2OAACGH3HQOF4G3M/

https://security.netapp.com/advisory/ntap-20190606-0002/

https://usn.ubuntu.com/4004-1/

https://usn.ubuntu.com/4004-2/

https://usn.ubuntu.com/4019-1/

https://usn.ubuntu.com/4019-2/

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://www.sqlite.org/releaselog/3_28_0.html

https://www.sqlite.org/src/info/90acdbfce9c08858

Details

Source: MITRE

Published: 2019-05-30

Updated: 2020-07-15

Type: CWE-125

Risk Information

CVSS v2.0

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:* versions from 3.6.0 to 3.27.2 (inclusive)

Configuration 2

OR

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*

Tenable Plugins

View all (22 total)

IDNameProductFamilySeverity
145795CentOS 8 : sqlite (CESA-2020:1810)NessusCentOS Local Security Checks
high
138774NewStart CGSL MAIN 6.01 : sqlite Multiple Vulnerabilities (NS-SA-2020-0031)NessusNewStart CGSL Local Security Checks
high
136056RHEL 8 : sqlite (RHSA-2020:1810)NessusRed Hat Local Security Checks
high
134746EulerOS Virtualization 3.0.2.2 : sqlite (EulerOS-SA-2020-1280)NessusHuawei Local Security Checks
high
134496EulerOS Virtualization for ARM 64 3.0.2.0 : sqlite (EulerOS-SA-2020-1207)NessusHuawei Local Security Checks
high
132942FreeBSD : MySQL -- Multiple vulerabilities (a6cf65ad-37d2-11ea-a1c7-b499baebfeaf)NessusFreeBSD Local Security Checks
high
131615EulerOS 2.0 SP2 : sqlite (EulerOS-SA-2019-2461)NessusHuawei Local Security Checks
high
131513EulerOS Virtualization for ARM 64 3.0.3.0 : sqlite (EulerOS-SA-2019-2348)NessusHuawei Local Security Checks
high
129253EulerOS 2.0 SP3 : sqlite (EulerOS-SA-2019-2060)NessusHuawei Local Security Checks
high
129185EulerOS 2.0 SP5 : sqlite (EulerOS-SA-2019-1991)NessusHuawei Local Security Checks
high
128183EulerOS 2.0 SP8 : sqlite (EulerOS-SA-2019-1814)NessusHuawei Local Security Checks
high
127506Fedora 29 : sqlite (2019-3377813d18)NessusFedora Local Security Checks
high
127103Fedora 30 : sqlite (2019-02b81266b7)NessusFedora Local Security Checks
high
126331openSUSE Security Update : sqlite3 (openSUSE-2019-1645)NessusSuSE Local Security Checks
high
126210Photon OS 2.0: Sqlite PHSA-2019-2.0-0162NessusPhotonOS Local Security Checks
high
126208Photon OS 3.0: Sqlite PHSA-2019-3.0-0018NessusPhotonOS Local Security Checks
high
126202Photon OS 1.0: Sqlite PHSA-2019-1.0-0237NessusPhotonOS Local Security Checks
high
126156SUSE SLED12 / SLES12 Security Update : sqlite3 (SUSE-SU-2019:1601-1)NessusSuSE Local Security Checks
high
126065Ubuntu 16.04 LTS / 18.04 LTS / 18.10 / 19.04 : SQLite vulnerabilities (USN-4019-1)NessusUbuntu Local Security Checks
high
125986SUSE SLES12 Security Update : sqlite3 (SUSE-SU-2019:1522-1)NessusSuSE Local Security Checks
high
125944SUSE SLES11 Security Update : sqlite3 (SUSE-SU-2019:14083-1)NessusSuSE Local Security Checks
high
125720Ubuntu 14.04 LTS : db5.3 vulnerability (USN-4004-2)NessusUbuntu Local Security Checks
high