Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2021-3119

Published: 25 March 2021

Zetetic SQLCipher 4.x before 4.4.3 has a NULL pointer dereferencing issue related to sqlcipher_export in crypto.c and sqlite3StrICmp in sqlite3.c. This may allow an attacker to perform a remote denial of service attack. For example, an SQL injection can be used to execute the crafted SQL command sequence, which causes a segmentation fault.

Notes

AuthorNote
sbeattie
introduced in 4.1.0 it seems

Priority

Medium

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
sqlcipher
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(introduced in 4.1.0)
focal Not vulnerable
(introduced in 4.1.0)
groovy Not vulnerable
(introduced in 4.1.0)
trusty Does not exist

upstream
Released (4.4.3)
xenial Not vulnerable
(introduced in 4.1.0)
Patches:
upstream: https://github.com/sqlcipher/sqlcipher/commit/cb71f53e8cea4802509f182fa5bead0ac6ab0e7f#diff-9305215a9a0ea69300281fc4af90bc7f3437e34a0e1745d030213152993ddae4

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H