CVE-2019-5018Use After Free in Sqlite3

CWE-416Use After Free10 documents9 sources
Severity
8.1HIGHNVD
EPSS
2.7%
top 14.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Ghost Sqlite3Canonical Ubuntu LinuxSqlite
Timeline
PublishedMay 10
Latest updateMay 24

Description

An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

Debianghost/sqlite3< 3.27.2-3+3
CVEListV5ghost/sqlite3SQLite 3.26.0, 3.27.0
NVDsqlite/sqlite3.26.0

Also affects: Ubuntu Linux 12.04, 16.04, 18.04, 19.04, 19.10

🔴Vulnerability Details

3
GHSA
GHSA-qgrg-5hv8-3w32: An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 32022-05-24
CVEList
CVE-2019-5018: An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 32019-05-10
OSV
CVE-2019-5018: An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 32019-05-10

📋Vendor Advisories

4
Android
CVE-2019-5018: Android Security Bulletin 2020-04-01 CVE: CVE-2019-5018 Severity: HIGH Type: EoP Affected AOSP versions: 82020-04-01
Ubuntu
SQLite vulnerabilities2019-12-02
Red Hat
sqlite: Use-after-free in window function leading to remote code execution2019-05-09
Debian
CVE-2019-5018: sqlite3 - An exploitable use after free vulnerability exists in the window function functi...2019

💬Community

2
Bugzilla
CVE-2019-5018 sqlite: sqlite3: use-after-free in window function leading to remote code execution [fedora-30]2019-12-17
Bugzilla
CVE-2019-5018 sqlite: Use-after-free in window function leading to remote code execution2019-05-09
CVE-2019-5018 — Use After Free in Ghost Sqlite3 | cvebase