Vulnerability Details : CVE-2019-19880
exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.
Products affected by CVE-2019-19880
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:suse:package_hub:-:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
- cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
- cpe:2.3:a:sqlite:sqlite:3.30.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-19880
11.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 93 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-19880
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-19880
-
The product dereferences a pointer that it expects to be valid but is NULL.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-19880
-
https://www.oracle.com/security-alerts/cpuapr2020.html
Oracle Critical Patch Update Advisory - April 2020Patch;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html
[security-announce] openSUSE-SU-2020:0210-1: important: Security updateMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20200114-0001/
CVE-2019-19880 SQLite Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00010.html
[security-announce] openSUSE-SU-2020:0189-1: important: Security updateMailing List;Third Party Advisory
-
https://usn.ubuntu.com/4298-1/
USN-4298-1: SQLite vulnerabilities | Ubuntu security noticesBroken Link
-
https://www.debian.org/security/2020/dsa-4638
Debian -- Security Information -- DSA-4638-1 chromiumThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html
[security-announce] openSUSE-SU-2020:0233-1: important: Security updateMailing List;Third Party Advisory
-
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Patch;Third Party Advisory
-
https://github.com/sqlite/sqlite/commit/75e95e1fcd52d3ec8282edb75ac8cd0814095d54
When processing constant integer values in ORDER BY clauses of window · sqlite/sqlite@75e95e1 · GitHubPatch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2020:0514
RHSA-2020:0514 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to