CVE-2015-3415 — Improper Resource Shutdown or Release in Sqlite

CWE-404 — Improper Resource Shutdown or Release CWE-20 — Improper Input Validation13 documents9 sources

Severity

7.5HIGHNVD

EPSS

5.7%

top 9.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ghost Sqlite3 PHP Sqlite +4 more

Timeline

PublishedApr 24

Latest updateMay 14

Description

The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages5 packages

▶Debianghost/sqlite3< 3.8.9-1+3

▶NVDsqlite/sqlite3.8.8.3

▶NVDphp/php5.4.0 — 5.4.42+2

▶NVDapple/watchos1.0.1

▶NVDapple/mac_os_x10.10.5

Also affects: Debian Linux 8.0, Ubuntu Linux 12.04, 14.04, 15.04

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-p88q-qx6q-mhv3: The sqlite3VdbeExec function in vdbe↗2022-05-14

▶

CVEList

CVE-2015-3415: The sqlite3VdbeExec function in vdbe↗2015-04-24

▶

OSV

CVE-2015-3415: The sqlite3VdbeExec function in vdbe↗2015-04-24

▶

📋Vendor Advisories

Apple

CVE-2015-3415: iTunes 12.6 for Windows↗2017-03-21

▶

Apple

CVE-2015-3415: iTunes 12.6↗2017-03-21

▶

Ubuntu

SQLite vulnerabilities↗2015-07-30

▶

Red Hat

sqlite: invalid free() in src/vdbe.c↗2015-03-31

▶

Debian

CVE-2015-3415: sqlite3 - The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly ...↗2015

▶

💬Community

Bugzilla

CVE-2015-3415 sqlite: invalid free() in src/vdbe.c↗2015-04-16

▶