CVE-2019-19880

Published: Dec 18, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.

Affected (12)

Products: Sqlite: Sqlite · Netapp: Cloud Backup · Debian: Debian Linux · +5 more

Show all products

Sqlite: Sqlite · Netapp: Cloud Backup · Debian: Debian Linux · Suse: Package Hub · Redhat: Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Workstation · Opensuse: Backports Sle, Leap · Oracle: Mysql Workbench · Siemens: Sinec Infrastructure Network Services

1 product

1 product

1 product

1 product

3 products

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Workstation

2 products

1 product

1 product

Sinec Infrastructure Network Services

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sqlite Sqlite	Version 3.30.1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Netapp Cloud Backup	All versions

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Suse Package Hub	All versions

Running on/with	Platform Versions
Suse Linux Enterprise	Version 12.0

Configuration E

3 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 6.0
Redhat Enterprise Linux Server	Version 6.0
Redhat Enterprise Linux Workstation	Version 6.0

Configuration F

2 vulnerable

Vulnerable Software	Affected Versions
Opensuse Backports Sle	Version 15.0 sp1
Opensuse Leap	Version 15.1

Configuration G

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Mysql Workbench	Up to 8.0.19

Configuration H

1 vulnerable

Vulnerable Software	Affected Versions
Siemens Sinec Infrastructure Network Services	Before 1.0.1.1

Related CWEs

CWE-476

NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

References (20)

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00010.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://access.redhat.com/errata/RHSA-2020:0514

Source: cve@mitre.org

Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/sqlite/sqlite/commit/75e95e1fcd52d3ec8282edb75ac8cd0814095d54

Source: cve@mitre.org

PatchThird Party Advisory

https://security.netapp.com/advisory/ntap-20200114-0001/

Source: cve@mitre.org

Third Party Advisory

https://usn.ubuntu.com/4298-1/

Source: cve@mitre.org

Broken Link

https://www.debian.org/security/2020/dsa-4638

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Source: cve@mitre.org

PatchThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00010.html