REDHAT-BUG-1659379: SQL Injection
First published: Fri Dec 14 2018(Updated: )
Multiple flaws were found in sqlite. An attacker who is able to run arbitrary SQL statements could use this flaw to corrupt the internal databases, which can lead to arbitrary code execution as the user running sqlite. This issue was fixed via sqlite-3.25.3 release at: <a href="https://www.sqlite.org/releaselog/3_25_3.html">https://www.sqlite.org/releaselog/3_25_3.html</a> Also sqlite-3.36 introduced SQLITE_DBCONFIG_DEFENSIVE option which when added to the config file, could prevent attackers for corrupting the internal database files. This could however break applications which require users to write these database files. <a href="https://www.sqlite.org/releaselog/3_26_0.html">https://www.sqlite.org/releaselog/3_26_0.html</a> <a href="https://www.sqlite.org/c3ref/c_dbconfig_defensive.html#sqlitedbconfigdefensive">https://www.sqlite.org/c3ref/c_dbconfig_defensive.html#sqlitedbconfigdefensive</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SQLite JDBC | <3.25.3>=3.25.3<3.36 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.sqlite.org/releaselog/3_25_3.html
- https://www.sqlite.org/releaselog/3_26_0.html
- https://www.sqlite.org/c3ref/c_dbconfig_defensive.html#sqlitedbconfigdefensive
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1659677
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1659363
- https://access.redhat.com/errata/RHSA-2018:3803
- https://www.sqlite.org/security.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1659907
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1659908
- https://access.redhat.com/articles/3758321
- https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html
- https://blade.tencent.com/magellan/index_en.html
- https://www.sqlite.org/src/info/940f2adc8541a838
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1659379#c27
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1659379#c29
- https://access.redhat.com/security/cve/CVE-2018-20346
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1659379#c12
- https://bugzilla.redhat.com/show_bug.cgi?id=1659379
Frequently Asked Questions
What is the severity of REDHAT-BUG-1659379?
The severity of REDHAT-BUG-1659379 is critical due to the potential for arbitrary code execution.
How do I fix REDHAT-BUG-1659379?
To fix REDHAT-BUG-1659379, update SQLite to version 3.25.3 or later.
What products are affected by REDHAT-BUG-1659379?
The affected products by REDHAT-BUG-1659379 include SQLite versions prior to 3.25.3 and between 3.25.3 and 3.36.
What kind of attack is possible with REDHAT-BUG-1659379?
An attacker can run arbitrary SQL statements that could corrupt internal databases due to REDHAT-BUG-1659379.
What are the implications of exploiting REDHAT-BUG-1659379?
Exploitation of REDHAT-BUG-1659379 could lead to arbitrary code execution with the privileges of the SQLite process.
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-20346
- agent/source
- agent/severity
- agent/weakness
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/sqlite
- canonical/sqlite