PT-2019-5687 · Sqlite+6 · Sqlite+6

Published

2019-12-23

Updated

2021-09-23

CVE-2019-19959

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions SQLite version 3.30.1

Description The zipfile() function in the SQLite database management system is related to incorrect handling of certain ZIP archives. This issue can be exploited by a remote attacker to cause a denial of service or execute arbitrary code. The problem is specifically related to the handling of certain uses of INSERT INTO in situations involving embedded '0' characters in filenames, leading to a memory-management error.

Recommendations For SQLite version 3.30.1, consider restricting the use of the zipfile() function until a patch is available. As a temporary workaround, avoid using the INSERT INTO statement with filenames containing embedded '0' characters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2020-1088

BDU:2020-05666

CESA-2020_1810

CVE-2019-19959

OPENSUSE-SU-2021:1058-1

OPENSUSE-SU-2021:2320-1

OPENSUSE-SU-2021_1058-1

OPENSUSE-SU-2021_2320-1

RHSA-2020:1810

RHSA-2020_1810

SUSE-SU-2021:2320-1

SUSE-SU-2021:3215-1

USN-4298-1

Affected Products

Alt Linux

Astra Linux

Centos

Red Hat

Sqlite

Suse

Ubuntu

PT-2019-5687 · Sqlite+6 · Sqlite+6

CVE-2019-19959

Weakness Enumeration

Related Identifiers

Affected Products

References · 87