CVE-2019-19880: SQL Injection
First published: Wed Dec 18 2019(Updated: )
exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Data Risk Manager | <=2.0.6 | |
| SQLite SQLite | =3.30.1 | |
| Netapp Cloud Backup | ||
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Suse Package Hub | ||
| SUSE Linux Enterprise | =12.0 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Workstation | =6.0 | |
| openSUSE Backports SLE | =15.0-sp1 | |
| openSUSE Leap | =15.1 | |
| Oracle Mysql Workbench | <=8.0.19 | |
| Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
| All of | ||
| Suse Package Hub | ||
| SUSE Linux Enterprise | =12.0 | |
| ubuntu/sqlite3 | <3.29.0-2ubuntu0.2 | 3.29.0-2ubuntu0.2 |
| debian/chromium | 90.0.4430.212-1~deb10u1 120.0.6099.224-1~deb11u1 121.0.6167.139-1~deb12u1 124.0.6367.118-1~deb12u1 123.0.6312.105-1~deb13u1 124.0.6367.118-1 | |
| debian/sqlite | 2.8.17-15 2.8.17-15+deb10u1 | |
| debian/sqlite3 | 3.27.2-3+deb10u1 3.27.2-3+deb10u2 3.34.1-3 3.40.1-2 3.45.1-1 3.45.3-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/173387
- https://www.ibm.com/support/pages/node/6335281 (Advisory)
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html
- https://access.redhat.com/errata/RHSA-2020:0514
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://github.com/sqlite/sqlite/commit/75e95e1fcd52d3ec8282edb75ac8cd0814095d54
- https://security.netapp.com/advisory/ntap-20200114-0001/
- https://usn.ubuntu.com/4298-1/
- https://www.debian.org/security/2020/dsa-4638
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://launchpad.net/bugs/cve/CVE-2019-19880
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1787036
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1787034
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1787035
- https://access.redhat.com/security/cve/cve-2019-19880
- https://bugzilla.redhat.com/show_bug.cgi?id=1787032
- https://github.com/sqlite/sqlite/commit/08f6de7f314ad6b15d34cc5f27c3e737fcd99268
- https://github.com/sqlite/sqlite/commit/8428b3b437569338a9d1e10c4cd8154acbe33089
- https://security-tracker.debian.org/tracker/CVE-2019-19880
- https://ubuntu.com/security/notices/USN-4298-1
- https://www.cve.org/CVERecord?id=CVE-2019-19880
- https://nvd.nist.gov/vuln/detail/CVE-2019-19880
- https://ubuntu.com/security/CVE-2019-19880
Frequently Asked Questions
What is CVE-2019-19880?
CVE-2019-19880 is a vulnerability in SQLite that allows attackers to trigger an invalid pointer dereference, leading to a denial of service.
How severe is CVE-2019-19880?
CVE-2019-19880 has a severity score of 7.5 out of 10, indicating a high severity.
Which software products are affected by CVE-2019-19880?
IBM Data Risk Manager, Debian, Chromium, SQLite, SQLite3, Netapp Cloud Backup, Suse Package Hub, SUSE Linux Enterprise, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Workstation, openSUSE Backports SLE, openSUSE Leap, Oracle MySQL Workbench, Siemens Sinec Infrastructure Network Services, and Ubuntu.
How can I fix CVE-2019-19880 in IBM Data Risk Manager?
To fix CVE-2019-19880 in IBM Data Risk Manager, update to version 2.0.6 or later. Apply the patch provided by IBM: [IBM Security Fix Central](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.4.1&platform=Linux&function=all)
How can I fix CVE-2019-19880 in Debian?
To fix CVE-2019-19880 in Debian, update the 'sqlite' or 'sqlite3' package to the latest version available. Check the Debian security advisory for detailed information.
- collector/ibm-support
- collector/nvd-index
- agent/type
- agent/last-modified-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-19880
- agent/first-publish-date
- agent/author
- agent/severity
- agent/weakness
- agent/references
- agent/remedy
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/ibm
- canonical/ibm data risk manager
- version/ibm data risk manager/2.0.6
- vendor/sqlite
- canonical/sqlite sqlite
- version/sqlite sqlite/3.30.1
- vendor/netapp
- canonical/netapp cloud backup
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/suse
- canonical/suse package hub
- canonical/suse linux enterprise
- version/suse linux enterprise/12.0
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- vendor/opensuse
- canonical/opensuse backports sle
- version/opensuse backports sle/15.0-sp1
- canonical/opensuse leap
- version/opensuse leap/15.1
- vendor/oracle
- canonical/oracle mysql workbench
- version/oracle mysql workbench/8.0.19
- vendor/siemens
- canonical/siemens sinec infrastructure network services
- package-manager/debian
- package-manager/ubuntu