CVE-2019-8457

high-risk

Published 2019-05-30

SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.

Do I need to act?

26.8% chance of exploitation in next 30 days

EPSS score — higher than 73% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Sqlite

Ubuntu Linux

Fedora

Leap

Canonical Fedoraproject Opensuse Sqlite

Third Party Advisory http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00074.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20190606-0002/

Third Party Advisory https://usn.ubuntu.com/4004-1/

Third Party Advisory https://usn.ubuntu.com/4004-2/

Third Party Advisory https://usn.ubuntu.com/4019-1/

Third Party Advisory https://usn.ubuntu.com/4019-2/

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/security-alerts/cpujul2020.html

Patch https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Release Notes https://www.sqlite.org/releaselog/3_28_0.html

Patch https://www.sqlite.org/src/info/90acdbfce9c08858

Third Party Advisory http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00074.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20190606-0002/

and 10 more references

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 15/34 · Moderate

Exposure 15/34 · Moderate