CVE-2018-20506

Name of the Vulnerable Software and Affected Versions SQLite versions prior to 3.25.3

Description The issue is caused by an integer overflow in the FTS3 extension of the SQLite database management system, which results in a buffer overflow for FTS3 queries in a "merge" operation. This occurs after crafted changes to FTS3 shadow tables. Remote attackers can exploit this issue to execute arbitrary code by leveraging the ability to run arbitrary SQL statements, such as in certain WebSQL use cases.

Recommendations For SQLite versions prior to 3.25.3, update to version 3.25.3 or later to resolve the issue. As a temporary workaround, consider disabling the FTS3 extension until a patch is available. Restrict access to the FTS3 module to minimize the risk of exploitation. Avoid using the FTS3 queries in merge operations until the issue is resolved.