PT-2019-5687 · Sqlite+6 · Sqlite+6

Publicado

2019-12-23

Atualizado

2021-09-23

CVE-2019-19959

CVSS v2.0

7.8

Alta

Vetor

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions SQLite version 3.30.1

Description The zipfile() function in the SQLite database management system is related to incorrect handling of certain ZIP archives. This issue can be exploited by a remote attacker to cause a denial of service or execute arbitrary code. The problem is specifically related to the handling of certain uses of INSERT INTO in situations involving embedded '0' characters in filenames, leading to a memory-management error.

Recommendations For SQLite version 3.30.1, consider restricting the use of the zipfile() function until a patch is available. As a temporary workaround, avoid using the INSERT INTO statement with filenames containing embedded '0' characters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

ALT-PU-2020-1088

BDU:2020-05666

CESA-2020_1810

CVE-2019-19959

OPENSUSE-SU-2021:1058-1

OPENSUSE-SU-2021:2320-1

OPENSUSE-SU-2021_1058-1

OPENSUSE-SU-2021_2320-1

RHSA-2020:1810

RHSA-2020_1810

SUSE-SU-2021:2320-1

SUSE-SU-2021:3215-1

USN-4298-1

Produtos afetados

Alt Linux

Astra Linux

Centos

Red Hat

Sqlite

Suse

Ubuntu

PT-2019-5687 · Sqlite+6 · Sqlite+6

CVE-2019-19959

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 87