CPANSA-DBD-SQLite-2018-20346: DBD-SQLite vulnerability

Publisher giterlizzi Document category csaf_security_advisory
Initial release date 2018-12-21T00:00:00 Engine CSAF Perl Toolkit 0.25
Current release date 2018-12-21T00:00:00 Build Date
Current version 1 Status final
CVSS v3.1 Base Score 8.1 Severity High
Original language Language en
Also referred to

Vulnerability Description

SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.

Vulnerabilities

CVE-2018-20346

Vulnerability Description

SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.

Weakness CWE-190 : Integer Overflow or Wraparound

Product status

Known affected
Product Score
DBD-SQLite less than 1.61_01
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 8.1 High
2.0 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 Medium
Fixed

giterlizzi

Namespace: https://github.com/giterlizzi/

gdt@cpan.org

References

Revision history

Version Date of the revision Summary of the revision
1 Fri Dec 21 00:00:00 2018 First release

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/