PT-2019-4842 · Sqlite+4 · Sqlite+4

Published

2019-11-15

·

Updated

2022-04-15

·

CVE-2019-19244

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions SQLite version 3.30.1
Description The issue is related to an error in the sqlite3Select function of the SQLite database management system, which occurs when the DISTINCT operator is used. This can be exploited by a remote attacker to cause a denial of service. Specifically, the problem arises when a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.
Recommendations For SQLite version 3.30.1, consider applying a patch or fix that addresses the issue in the sqlite3Select function to prevent potential denial of service attacks. As a temporary workaround, avoid using the DISTINCT operator in sub-selects that also utilize window functions and specific ORDER BY clauses until a patch is available.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2020-1088
ALT-PU-2020-2094
ALT-PU-2020-2183
BDU:2020-01426
CVE-2019-19244
MGASA-2020-0070
OPENSUSE-SU-2021:1058-1
OPENSUSE-SU-2021:2320-1
OPENSUSE-SU-2021_1058-1
OPENSUSE-SU-2021_2320-1
SUSE-SU-2021:2320-1
SUSE-SU-2021:3215-1
USN-4205-1

Affected Products

Alt Linux
Astra Linux
Sqlite
Suse
Ubuntu