Vulnerability Details : CVE-2017-10989
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.
Products affected by CVE-2017-10989
- cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-10989
0.69%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-10989
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-10989
-
The product reads data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-10989
-
https://support.apple.com/HT208112
About the security content of iOS 11 - Apple Support
-
http://www.securitytracker.com/id/1039427
Apple macOS/OS X Multiple Flaws Let Remote and Local Users Bypass Security and Deny Service, Local Users Obtain Potentially Sensitive Information, and Applications Gain Elevated Privileges - SecurityT
-
https://support.apple.com/HT208113
About the security content of tvOS 11 - Apple Support
-
https://support.apple.com/HT208115
About the security content of watchOS 4 - Apple Support
-
https://support.apple.com/HT208144
About the security content of macOS High Sierra 10.13 - Apple Support
-
https://usn.ubuntu.com/4019-1/
USN-4019-1: SQLite vulnerabilities | Ubuntu security notices
-
https://sqlite.org/src/vpatch?from=0db20efe201736b3&to=66de6f4a9504ec26
Patch;Vendor Advisory
-
https://usn.ubuntu.com/4019-2/
USN-4019-2: SQLite vulnerabilities | Ubuntu security notices
-
https://lists.debian.org/debian-lts-announce/2019/01/msg00009.html
[SECURITY] [DLA 1633-1] sqlite3 security update
-
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405
2405 - gdal: Crash in nodeAcquire - oss-fuzz - MonorailPermissions Required
-
https://sqlite.org/src/info/66de6f4a
SQLite: Check-in [66de6f4a]Issue Tracking;Patch;Vendor Advisory
-
https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937
Bug #1700937 “Heap-buffer overflow in nodeAcquire” : Bugs : sqlite3 package : UbuntuIssue Tracking;Patch;Third Party Advisory
-
http://marc.info/?l=sqlite-users&m=149933696214713&w=2
'Re: [sqlite] clusterfuzz-found issue in GDAL, Ubuntu packages' - MARCPatch;Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CPU July 2018
-
http://www.securityfocus.com/bid/99502
SQLite CVE-2017-10989 Heap Buffer Overflow VulnerabilityThird Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00050.html
[security-announce] openSUSE-SU-2019:1426-1: moderate: Security update f
Jump to