CVE-2015-3414 — Use of Uninitialized Resource in Sqlite

CWE-908 — Use of Uninitialized Resource CWE-20 — Improper Input Validation CWE-456 — Missing Initialization of a Variable14 documents9 sources

Severity

7.5HIGHNVD

EPSS

5.7%

top 9.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ghost Sqlite3 PHP Sqlite +4 more

Timeline

PublishedApr 24

Latest updateMay 14

Description

SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages5 packages

▶Debianghost/sqlite3< 3.8.9-1+3

▶NVDsqlite/sqlite3.8.8.3

▶NVDphp/php5.4.0 — 5.4.42+2

▶NVDapple/watchos1.0.1

▶NVDapple/mac_os_x10.10.5

Also affects: Debian Linux 8.0, Ubuntu Linux 12.04, 14.04, 15.04

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-9qxq-827h-4w5v: SQLite before 3↗2022-05-14

▶

OSV

sqlite3 vulnerabilities↗2015-07-30

▶

CVEList

CVE-2015-3414: SQLite before 3↗2015-04-24

▶

OSV

CVE-2015-3414: SQLite before 3↗2015-04-24

▶

📋Vendor Advisories

Apple

CVE-2015-3414: iTunes 12.6↗2017-03-21

▶

Apple

CVE-2015-3414: iTunes 12.6 for Windows↗2017-03-21

▶

Ubuntu

SQLite vulnerabilities↗2015-07-30

▶

Red Hat

sqlite: use of uninitialized memory when parsing collation sequences in src/where.c↗2015-03-31

▶

Debian

CVE-2015-3414: sqlite3 - SQLite before 3.8.9 does not properly implement the dequoting of collation-seque...↗2015

▶

💬Community

Bugzilla

CVE-2015-3414 sqlite: use of uninitialized memory when parsing collation sequences in src/where.c↗2015-04-16

▶