PT-2017-2464 · Sqlite+3 · Sqlite+3

Published

2017-07-07

Updated

2021-09-23

CVE-2017-10989

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SQLite versions prior to 3.19.4

Description The issue is related to the getNodeSize function in SQLite, which mishandles undersized RTree blobs in a crafted database. This can lead to a heap-based buffer over-read or possibly other unspecified impacts. The vulnerability is caused by a buffer overflow in memory, allowing a remote attacker to potentially exploit it by using reduced-size RTree blobs in a created database.

Recommendations For SQLite versions prior to 3.19.4, update to version 3.19.4 or later to resolve the issue. As a temporary workaround, consider restricting access to crafted databases that may contain undersized RTree blobs to minimize the risk of exploitation.

Fix

Out of bounds Read

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125CWE-119

Related Identifiers

ALT-PU-2017-2119

BDU:2017-01674

CVE-2017-10989

DLA-1018-1

DLA-1633-1

MGASA-2017-0238

OPENSUSE-SU-2019_1426-1

SUSE-SU-2019:1208-1

SUSE-SU-2019:1522-1

SUSE-SU-2019_1208-1

SUSE-SU-2019_1522-1

SUSE-SU-2021:3215-1

USN-4019-1

USN-4019-2

Affected Products

Alt Linux

Sqlite

Suse

Ubuntu

PT-2017-2464 · Sqlite+3 · Sqlite+3

CVE-2017-10989

Weakness Enumeration

Related Identifiers

Affected Products

References · 148