First published: Fri Mar 22 2019(Updated: )
In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
SQLite SQLite | =3.27.2 | |
Google Android | ||
ubuntu/sqlite3 | <3.22.0-1ubuntu0.1 | 3.22.0-1ubuntu0.1 |
ubuntu/sqlite3 | <3.24.0-1ubuntu0.1 | 3.24.0-1ubuntu0.1 |
ubuntu/sqlite3 | <3.27.2-2 | 3.27.2-2 |
ubuntu/sqlite3 | <3.11.0-1ubuntu1.2 | 3.11.0-1ubuntu1.2 |
debian/sqlite | 2.8.17-15 2.8.17-15+deb10u1 | |
debian/sqlite3 | 3.27.2-3+deb10u1 3.27.2-3+deb10u2 3.34.1-3 3.40.1-2 3.45.3-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2019-9936 is high with a CVSS score of 7.5.
Running fts5 prefix queries inside a transaction can trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, leading to an information leak.
SQLite 3.27.2 is affected by CVE-2019-9936.
Yes, Google Android is affected by CVE-2019-9936.
To fix the vulnerability in SQLite 3.27.2, you should update to a version that is not affected by the vulnerability.