CVE-2018-20506

Source
https://nvd.nist.gov/vuln/detail/CVE-2018-20506
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20506.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-20506
Related
Published
2019-04-03T18:29:01Z
Modified
2024-09-18T01:00:22Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.

References

Affected packages

Debian:11 / sqlite3

Package

Name
sqlite3
Purl
pkg:deb/debian/sqlite3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.25.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / sqlite3

Package

Name
sqlite3
Purl
pkg:deb/debian/sqlite3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.25.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / sqlite3

Package

Name
sqlite3
Purl
pkg:deb/debian/sqlite3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.25.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}