CVE-2019-9936
Published: 22 March 2019
In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.
Priority
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
- https://sqlite.org/src/info/b3fa58dd7403dbd4
- https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg114382.html
- https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg114394.html
- https://ubuntu.com/security/notices/USN-4019-1
- https://www.cve.org/CVERecord?id=CVE-2019-9936
- NVD
- Launchpad
- Debian