diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 14:07:11 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 14:07:11 +0000 |
commit | 63847496f14c813a5d80efd5b7de0f1294ffe1e3 (patch) | |
tree | 01c7571c7c762ceee70638549a99834fdd7c411b /www/cves.html | |
parent | Initial commit. (diff) | |
download | sqlite3-63847496f14c813a5d80efd5b7de0f1294ffe1e3.tar.xz sqlite3-63847496f14c813a5d80efd5b7de0f1294ffe1e3.zip |
Adding upstream version 3.45.1.upstream/3.45.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'www/cves.html')
-rw-r--r-- | www/cves.html | 783 |
1 files changed, 783 insertions, 0 deletions
diff --git a/www/cves.html b/www/cves.html new file mode 100644 index 0000000..7d1714b --- /dev/null +++ b/www/cves.html @@ -0,0 +1,783 @@ +<!DOCTYPE html> +<html><head> +<meta name="viewport" content="width=device-width, initial-scale=1.0"> +<meta http-equiv="content-type" content="text/html; charset=UTF-8"> +<link href="sqlite.css" rel="stylesheet"> +<title>Vulnerabilities</title> +<!-- path= --> +</head> +<body> +<div class=nosearch> +<a href="index.html"> +<img class="logo" src="images/sqlite370_banner.gif" alt="SQLite" border="0"> +</a> +<div><!-- IE hack to prevent disappearing logo --></div> +<div class="tagline desktoponly"> +Small. Fast. Reliable.<br>Choose any three. +</div> +<div class="menu mainmenu"> +<ul> +<li><a href="index.html">Home</a> +<li class='mobileonly'><a href="javascript:void(0)" onclick='toggle_div("submenu")'>Menu</a> +<li class='wideonly'><a href='about.html'>About</a> +<li class='desktoponly'><a href="docs.html">Documentation</a> +<li class='desktoponly'><a href="download.html">Download</a> +<li class='wideonly'><a href='copyright.html'>License</a> +<li class='desktoponly'><a href="support.html">Support</a> +<li class='desktoponly'><a href="prosupport.html">Purchase</a> +<li class='search' id='search_menubutton'> +<a href="javascript:void(0)" onclick='toggle_search()'>Search</a> +</ul> +</div> +<div class="menu submenu" id="submenu"> +<ul> +<li><a href='about.html'>About</a> +<li><a href='docs.html'>Documentation</a> +<li><a href='download.html'>Download</a> +<li><a href='support.html'>Support</a> +<li><a href='prosupport.html'>Purchase</a> +</ul> +</div> +<div class="searchmenu" id="searchmenu"> +<form method="GET" action="search"> +<select name="s" id="searchtype"> +<option value="d">Search Documentation</option> +<option value="c">Search Changelog</option> +</select> +<input type="text" name="q" id="searchbox" value=""> +<input type="submit" value="Go"> +</form> +</div> +</div> +<script> +function toggle_div(nm) { +var w = document.getElementById(nm); +if( w.style.display=="block" ){ +w.style.display = "none"; +}else{ +w.style.display = "block"; +} +} +function toggle_search() { +var w = document.getElementById("searchmenu"); +if( w.style.display=="block" ){ +w.style.display = "none"; +} else { +w.style.display = "block"; +setTimeout(function(){ +document.getElementById("searchbox").focus() +}, 30); +} +} +function div_off(nm){document.getElementById(nm).style.display="none";} +window.onbeforeunload = function(e){div_off("submenu");} +/* Disable the Search feature if we are not operating from CGI, since */ +/* Search is accomplished using CGI and will not work without it. */ +if( !location.origin || !location.origin.match || !location.origin.match(/http/) ){ +document.getElementById("search_menubutton").style.display = "none"; +} +/* Used by the Hide/Show button beside syntax diagrams, to toggle the */ +function hideorshow(btn,obj){ +var x = document.getElementById(obj); +var b = document.getElementById(btn); +if( x.style.display!='none' ){ +x.style.display = 'none'; +b.innerHTML='show'; +}else{ +x.style.display = ''; +b.innerHTML='hide'; +} +return false; +} +var antiRobot = 0; +function antiRobotGo(){ +if( antiRobot!=3 ) return; +antiRobot = 7; +var j = document.getElementById("mtimelink"); +if(j && j.hasAttribute("data-href")) j.href=j.getAttribute("data-href"); +} +function antiRobotDefense(){ +document.body.onmousedown=function(){ +antiRobot |= 2; +antiRobotGo(); +document.body.onmousedown=null; +} +document.body.onmousemove=function(){ +antiRobot |= 2; +antiRobotGo(); +document.body.onmousemove=null; +} +setTimeout(function(){ +antiRobot |= 1; +antiRobotGo(); +}, 100) +antiRobotGo(); +} +antiRobotDefense(); +</script> +<div class=fancy> +<div class=nosearch> +<div class="fancy_title"> +Vulnerabilities +</div> +<div class="fancy_toc"> +<a onclick="toggle_toc()"> +<span class="fancy_toc_mark" id="toc_mk">►</span> +Table Of Contents +</a> +<div id="toc_sub"><div class="fancy-toc1"><a href="#executive_summary">1. Executive Summary</a></div> +<div class="fancy-toc1"><a href="#about_cves">2. About CVEs</a></div> +<div class="fancy-toc2"><a href="#a_separate_sql_injection_vulnerability_is_usually_required">2.1. A separate SQL injection vulnerability is usually required</a></div> +<div class="fancy-toc2"><a href="#defense_against_dark_arts">2.2. Defense Against Dark Arts</a></div> +<div class="fancy-toc2"><a href="#the_sqlite_developer_policy_toward_cves">2.3. The SQLite Developer Policy Toward CVEs</a></div> +<div class="fancy-toc1"><a href="#status_of_recent_sqlite_cves">3. Status Of Recent SQLite CVEs</a></div> +</div> +</div> +<script> +function toggle_toc(){ +var sub = document.getElementById("toc_sub") +var mk = document.getElementById("toc_mk") +if( sub.style.display!="block" ){ +sub.style.display = "block"; +mk.innerHTML = "▼"; +} else { +sub.style.display = "none"; +mk.innerHTML = "►"; +} +} +</script> +</div> + + + + + +<h1 id="executive_summary"><span>1. </span>Executive Summary</h1> + +<ul> +<li><p> +CVEs about SQLite probably do not apply to your use of SQLite. + +</p></li><li><p> +All historical vulnerabilities reported against SQLite require at least +one of these preconditions: +</p><ol type="1"> +<li><p> +The attacker can submit and run arbitrary SQL statements. +</p></li><li><p> +The attacker can submit a maliciously crafted database file to the +application that the application will then open and query. +</p></li></ol> + +</li><li><p> +Few real-world applications meet either of these preconditions, and hence +few real-world applications are vulnerable, even if they use older +and unpatched versions of SQLite. + +</p></li><li><p> +The SQLite development team fixes bugs promptly, +usually within hours of discovery. New releases of SQLite +are issued if the bug seems likely to impact real-world +applications. + +</p></li><li><p> +Grey-hat hackers are rewarded based on the number and severity of +CVEs that they write. This results in a proliferation of CVEs that +have minor impact, or no impact at all, but which make +exaggerated impact claims. + +</p></li><li><p><a name="notnew"></a> +Very few CVEs written about SQLite are real vulnerabilities in the +sense that they do not give any new capabilities to an attacker. +Consider: +</p><ol type="a"> +<li><p> + Almost all CVEs written against SQLite require the ability to + inject and run arbitrary SQL. +</p></li><li><p> + The advertised consequence of most CVEs is "denial of service", + typically by causing a crash through a NULL pointer dereference or + a division by zero, or similar. +</p></li><li><p> + But if an attacker can already run + arbitrary SQL, they do not need a bug to cause a denial of service. + There are plenty of perfectly legal and valid SQL statements + that will consume unlimited CPU, memory, and disk I/O in order + to create a denial-of-service without requiring help from bugs. +</p></li><li><p> + Hence, the mere fact that an attacker has a way to inject and run + arbitrary SQL is in and of itself a denial-of-service attack. That + the arbitrary SQL might also tickle a bug in SQLite and cause a + crash is not a new vulnerability. +</p></li></ol> + +</li><li><p> +The SQLite developers do not write CVEs. Any CVEs you find on +SQLite are generated by third-parties, often without any input from the +core developers. A common scenario is that someone will report a bug in +SQLite, which will promptly be fixed, then weeks later a CVE for that bug will +appear, unbeknownst to the developers. + +</p></li><li><p> +You should not assume that a CVE about +SQLite contains authoritative information. +CVEs often contain inaccuracies. +The SQLite developers have attempted to add clarifications and +corrections to CVEs about SQLite. + +</p></li></ul> + +<h1 id="about_cves"><span>2. </span>About CVEs</h1> + +<p>CVEs ("Common Vulnerabilities and Exposures") are reports of software +bugs that might allow a system to be hacked. The idea +behind CVEs is sound. They provide a common naming scheme whereby +software bugs that might compromise information security can be easily +tracked. + +</p><p>While the original idea being CVEs is sound, the current processes for +creating and managing CVEs are inadequate. There are countless grey-hat +hackers running fuzzers against a wide-variety of open-source software +products (SQLite as well as many others) and writing up CVEs against +any problems they find. The grey-hats are rewarded, sometimes with +prestige and sometimes financially, by the number and severity of +the CVEs they write. This incentive results in a proliferation +of CVEs which are often not well-vetted and which can have exaggerated +impact claims. The quality-control procedures for CVEs are unable +to cope with this flood of inputs, making it difficult to correct +exaggerated, misleading, omitted, or inaccurate claims. + +</p><p>This is not to say that CVEs are useless. CVEs do still (mostly) +report actual bugs. But in most cases the bugs are not true vulnerabilities, +in the sense that they do not contribute to data loss or compromise +in and of themselves. +It is good that bugs are reported and fixed. But not every bug is +accessible from every application. In the case of SQLite, most of the +bugs reported by CVEs are inaccessible in most applications. Upgrading +to the latest version of SQLite is always a good plan, but it need not +be an emergency just because an anonymous grey-hat on the internet +wrote up a CVE. + +</p><h2 id="a_separate_sql_injection_vulnerability_is_usually_required"><span>2.1. </span>A separate SQL injection vulnerability is usually required</h2> + +<p> +Other C-libraries that process complex structured inputs will +routinely be asked to deal with unvetted inputs from untrusted +sources. Libraries like libjpeg, or libzip, or OpenSSL are +handed input streams that come directly from potentially hostile +agents. + +</p><p> +But database engines like SQLite are usually not this way. +The SQL scripts that are passed into SQLite come from the +(trusted) application itself, not from an attacker. Sometimes +applications contain bugs by which an external attacker can +trick the application into sending SQL of the attackers design +into the database engine. This is a separate bug in the +application called an +<a href="https://en.wikipedia.org/wiki/SQL_injection">SQL Injection +vulnerability</a>. Since SQL text is executable code, an +SQL Injection vulnerability is actually a special case of a +<a href="https://en.wikipedia.org/wiki/Arbitrary_code_execution">Remote +Code Execution (RCE) vulnerability</a>. An SQL Injection is perhaps not +quite as bad as other kinds of RCEs because, +while SQL is a powerful language, it is not as convenient +for crafting an exploit as Python or shell script or raw machine code. +Nevertheless, an SQL Injection is a serious problem. + +</p><p> +Most CVEs written about SQLite assume that the attacker is +able to run arbitrary SQL scripts in SQLite. In most applications, +this means that there must first be an SQL Injection vulnerability +that allows the attacker to inject the malicious SQL. + +</p><p> +A few applications do allow untrusted SQL scripts received from +potentially hostile agents to be run direct in SQLite. The main +example of this is the Chrome and Safari web browsers, which allow +an anonymous web page to run SQL using the WebSQL feature of Javascript. +This is done inside a sandbox with tightly controlled constraints on +resources, lest the SQL script try to soak up all available memory +or CPU cycles in a denial-of-service attack. Chrome and Safari +have the infrastructure in place to allow a hostile agent to run +code which does not harm or compromise the rest of the machine. +They have to, as they also run Javascript which could, if not +tightly controlled, do even more damage than unrestrained SQL. +Apart from Chrome and Safari, no applications known to the +SQLite developers deliberately allows an anonymous remote agent +to run arbitrary SQL text. + +</p><p>However, most CVEs written against SQLite flippantly assume +that an attacker is free to run any arbitrary SQL in the database +engine. So to a good approximation, this means most CVEs +written against SQLite really only apply to SQLite as it is +used in Chrome and Safari. Or, in other words, most CVEs +for SQLite do not apply to you unless you are one of the +developers of Chrome or Safari. + +</p><h2 id="defense_against_dark_arts"><span>2.2. </span>Defense Against Dark Arts</h2> + +<p> +Most applications can use SQLite without having to worry about +bugs in obscure SQL inputs. If the application controls +the SQL, and the application is not deliberately trying to break +SQLite, then everything should just work. +It is not necessary to have the latest patched version of SQLite. +Any older version should work just fine. + +</p><p> +However, there are some occasions where an application does need +to be able to safely run untrusted SQL. The SQLite developers work hard +to make SQLite safe for this purpose, though there are occasional +slip-ups. It is good to keep up-to-date with the latest patches +in this case. The separate <a href="security.html">defense against dark arts</a> document +contains additional suggestions that can help prevent zero-day +attacks in cases where SQLite is given inputs that come directly +from untrusted sources. + +</p><h2 id="the_sqlite_developer_policy_toward_cves"><span>2.3. </span>The SQLite Developer Policy Toward CVEs</h2> + +<p>SQLite developers fix all bugs in SQLite as soon as they are reported, +usually within a few hours. The fixes are immediately available on the +<a href="https://sqlite.org/src/timeline">public SQLite source tree</a>. +If a bug seems like it might cause problems for existing applications, +a new patch release for SQLite will be issued. + +</p><p>However, the SQLite developers do not track CVEs. There are +various reasons for this: + +</p><ol> +<li><p> +The developers often do not find out about CVEs until long after the +bug is fixed. You can see this by the fact that many CVEs reference the +bug fix in their initial report. + +</p></li><li><p> +CVEs are a low-quality source of information about bugs in SQLite +that are likely to affect most applications. + +</p></li><li><p> +Almost all bugs reported by CVEs are just bugs and not +true vulnerabilities. Claiming that they are vulnerabilities is +stretching the meaning of the word "vulnerability" and the SQLite +developers do not wish to participate in that deception. + +</p></li><li><p> +The developers have no editorial influence on the content of CVEs, +and they do not like to be controlled by groups in which they have +no voice. +</p></li></ol> + + +<a name="cvetab"></a> + +<h1 id="status_of_recent_sqlite_cves"><span>3. </span>Status Of Recent SQLite CVEs</h1> + +<p>Though the SQLite developers do not consider CVEs to be a reliable +source of information about bugs in SQLite, they recognize that many +groups, and especially small teams working at the bottom of tall +bureaucracies, sometimes need to track CVEs, whether they are useful +or not. To aid in this chore, the following table of recent CVEs +affecting SQLite is provided. + +</p><p>If you notice new CVEs associated with SQLite that are not in +the table below, please bring them to the attention of the developers +on the <a href="https://sqlite.org/forum/about">SQLite Forum</a> so they can +be added. + +</p><table border="1" cellpadding="5" cellspacing="0" style="margin-left:5ex;"> +<thead> +<tr> +<th valign="bottom">CVE Number</th> +<th valign="bottom">Fix</th> +<th valign="bottom">Comments</th> +</tr> +</thead> +<tbody> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2024-0232'>CVE-2024-0232</a> +</td> +<td valign='top'><a href="releaselog/3_43_2.html">3.43.2</a><br>(2023-10-10)</td> +<td valign='top'>An attacker that can inject arbitrary SQL statements into an application + might be able to provoke a use-after-free bug in SQLite's JSON parser that + can (in theory) lead to an application crash and denial of service. See + <a href="https://sqlite.org/forum/forumpost/b25edc1d4662ebca">forum thread b25edc1d4662</a> + for the bug report.</td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2023-32697'>CVE-2023-32697</a> +</td> +<td valign='top'>Not a bug in SQLite</td> +<td valign='top'>This is a bug in the SQLite JDBC library, which is a wrapper library that + provides access to SQLite from Java. SQLite JDBC is created and maintained + independently from SQLite. Despite the use of "SQLite" in the name, the + SQLite JDBC library is not affiliated with the SQLite project in any way. + The vulnerability identified by this CVE is in the separate SQLite JDBC + wrapper library and does not affect SQLite itself.</td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2023-39939'>CVE-2023-39939</a> +</td> +<td valign='top'>Not a bug in SQLite</td> +<td valign='top'>This is not a bug in SQLite. This is an + <a href="https://en.wikipedia.org/wiki/SQL_injection">SQL injection bug</a> in an application + (LuxCal Web Calendar) that links against SQLite. + Even though this CVE is not about SQLite, "SQLite" is + mentioned in the description and so we list it here.</td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2023-39543'>CVE-2023-39543</a> +</td> +<td valign='top'>Not a bug in SQLite</td> +<td valign='top'>This is not a bug in SQLite. This is an + <a href="https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting">XSS vulnerability</a> + in a separate application (LuxCal Web Calendar) that links against + SQLite. The bug is in the application, not in SQLite. However "SQLite" is + mentioned in the description and so we list it here.</td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2023-7104'>CVE-2023-7104</a> +</td> +<td valign='top'><a href="releaselog/3_43_2.html">3.43.2</a><br>(2023-10-10)</td> +<td valign='top'>This is a bug in the <a href="sessionintro.html">session extension</a> of SQLite, not in the SQLite core. + This bug is only reachable by applications that recompile SQLite using the + <a href="compile.html#enable_session">-DSQLITE_ENABLE_SESSION</a> compile-time option and then use the Session + C-language APIs to process a <a href="sessionintro.html#changeset">changeset</a> that has been subtly corrupted by an + adversary. So this bug probably does not apply to you. See + <a href="https://sqlite.org/forum/forumpost/f935c4708dd528d9">forum post f935c4708dd528d9</a> + for additional information.</td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2022-46908'>CVE-2022-46908</a> +</td> +<td valign='top'>Not a bug in the core SQLite library</td> +<td valign='top'>This is a bug in the --safe command-line option of the <a href="cli.html">command-line shell</a> + program that is available for accessing SQLite database files. The bug does + not exist in the SQLite library. Nor is it an issue for the <a href="cli.html">CLI</a> as long as + the user does not depend on the --safe option. It is not serious. It is + debatable whether or not this is a security issue.</td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2022-38627'>CVE-2022-38627</a> +</td> +<td valign='top'>Not a bug in SQLite</td> +<td valign='top'>This is not a bug in SQLite. This is an + <a href="https://en.wikipedia.org/wiki/SQL_injection">SQL injection bug</a> in a specific + PHP application. In other words, the bug is in the PHP application code, not + in SQLite. Even though this CVE is not about SQLite, "SQLite" is + mentioned in the publicity about the bug and so we list it here.</td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2022-35737'>CVE-2022-35737</a> +</td> +<td valign='top'><a href="releaselog/3_39_2.html">3.39.2</a><br>(2022-07-21)</td> +<td valign='top'>This bug is an array-bounds overflow. The bug is only accessible when using some + of the C-language APIs provided by SQLite. The bug cannot be reached using SQL + nor can it be reached by providing SQLite with a corrupt database file. + The bug only comes up when very long string inputs (greater than 2 billion bytes + in length) are provided as arguments to a few specific C-language interfaces, + and even then only under special circumstances.</td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2022-24854'>CVE-2022-24854</a> +</td> +<td valign='top'>Not a bug in SQLite</td> +<td valign='top'>This CVE describes a bug in an application that uses SQLite, not in SQLite itself. + SQLite is doing everything correctly. The application grants users the ability to + run SQL statements, using SQLite, that can leak or change information that those users + should not normally have access to. This is purely an application bug. It does not + describe a malfunction or vulnerability in SQLite.</td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2022-21227'>CVE-2022-21227</a> +</td> +<td valign='top'>Not a bug in SQLite</td> +<td valign='top'>This CVE describes a bug in a third-party packages that provides a binding + for SQLite to Node.js. The bug reported is in the third-party Node.js binding, + not in SQLite itself. Do not be confused by the use of the word "SQLite" in the + ambiguously-worded CVE description.</td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2021-45346'>CVE-2021-45346</a> +</td> +<td valign='top'>Not a bug in SQLite</td> +<td valign='top'>This CVE is misinformation. See the discussion around + <a href="https://sqlite.org/forum/forumpost/53de8864ba114bf6">SQLite forum post 53de8864ba114bf</a>.</td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2021-42169'>CVE-2021-42169</a> +</td> +<td valign='top'>Not a bug in SQLite</td> +<td valign='top'>This CVE has nothing whatsoever to do with SQLite. It is about a bug in + application that happens to use SQLite. Since SQLite is mentioned in the + CVE description, the CVE is included here to emphasize that + this is not an SQLite bug.</td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2021-36690'>CVE-2021-36690</a> +</td> +<td valign='top'>Not a bug in the core SQLite library</td> +<td valign='top'>This bug is not in the SQLite core library, but rather in an + <a href="https://www.sqlite.org/src/dir?ci=trunk&name=ext/expert"> + experimental extension</a> that is used to implement the + <a href="cli.html#expert">.expert command</a> in the <a href="cli.html">CLI</a>. The code that contains the bug + does not appear in <a href="amalgamation.html">standard SQLite builds</a>, though it + is included in the <a href="cli.html">sqlite3.exe command-line tool</a>. + Applications must link against the extra source code files that + implement the extension and take other deliberate actions to + activate the extension before the troublesome code can be run. + For the rare application that uses the troublesome extension, + the consequence of this bug is that malicious SQL can cause a + NULL pointer deference and denial of service. +<a href='https://sqlite.org/forum/info/78165fa25061742f'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2021-28305'>CVE-2021-28305</a> +</td> +<td valign='top'>Not a bug in SQLite</td> +<td valign='top'>This is not a bug in SQLite. The bug is in a third-party application that + uses SQLite. SQLite is mentioned by name in the CVE description, + however, so we have included the CVE in the list.</td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2021-23404'>CVE-2021-23404</a> +</td> +<td valign='top'>Not a bug in SQLite</td> +<td valign='top'>This is not a bug in SQLite. The bug is in a third-party application that + uses SQLite and includes "sqlite" in its name. This CVE is included on the + list because it mentions SQLite even though the bug has nothing to do + with SQLite.</td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2021-20227'>CVE-2021-20227</a> +</td> +<td valign='top'><a href="releaselog/3_34_1.html">3.34.1</a><br>(2021-01-20)</td> +<td valign='top'>Malicious SQL statement causes read-after-free. No harm can come of this + particular read-after-free instance, as far as anyone knows. The bug is + undetectable without a memory sanitizer. The CVE + claims that this bug is an RCE - a Remote Code Execution + vulnerability, but that claim is incorrect. + The RCE claim is misinformation. +<a href='https://sqlite.org/src/info/30a4c323650cc949'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2021-20223'>CVE-2021-20223</a> +</td> +<td valign='top'><a href="releaselog/3_34_0.html">3.34.0</a><br>(2020-12-01)</td> +<td valign='top'>The problem identified by this CVE is <u>not</u> a vulnerability. + It is a malfunction. A coding error causes <a href="fts5.html">FTS5</a> + to sometimes return inconsistent and incorrect results under obscure circumstances, + but no memory errors occur. +<a href='https://sqlite.org/src/info/b7b7bde9b7a03665'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2020-15358'>CVE-2020-15358</a> +</td> +<td valign='top'><a href="releaselog/3_32_3.html">3.32.3</a><br>(2020-06-18)</td> +<td valign='top'>Malicious SQL statement causes a read past the end of a heap buffer. +<a href='https://sqlite.org/src/info/8f157e8010b22af0'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2020-13871'>CVE-2020-13871</a> +</td> +<td valign='top'><a href="releaselog/3_32_3.html">3.32.3</a><br>(2020-06-18)</td> +<td valign='top'>Malicious SQL statement causes a read-only use-after-free memory error. +<a href='https://sqlite.org/src/info/c8d3b9f0a750a529'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2020-13632'>CVE-2020-13632</a> +</td> +<td valign='top'><a href="releaselog/3_32_0.html">3.32.0</a><br>(2020-05-22)</td> +<td valign='top'>Malicious SQL statement causes a read of a NULL pointer in the + <a href="fts3.html#matchinfo">matchinfo()</a> SQL function of the <a href="fts3.html">FTS3</a> extension, resulting in + denial of service. +<a href='https://sqlite.org/src/info/a4dd148928ea65bd'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2020-13631'>CVE-2020-13631</a> +</td> +<td valign='top'><a href="releaselog/3_32_0.html">3.32.0</a><br>(2020-05-22)</td> +<td valign='top'>Malicious SQL statement (an ALTER TABLE that tries to rename a + <a href="vtab.html">virtual table</a> into one of its own <a href="vtab.html#xshadowname">shadow tables</a>) + causes an infinite loop and denial of service. +<a href='https://sqlite.org/src/info/eca0ba2cf4c0fdf7'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2020-13630'>CVE-2020-13630</a> +</td> +<td valign='top'><a href="releaselog/3_32_0.html">3.32.0</a><br>(2020-05-22)</td> +<td valign='top'>Malicious SQL statement causes a read-only use-after-free, + possibly resulting in an incorrect output from the <a href="fts3.html#snippet">snippet()</a> + SQL function of the <a href="fts3.html">FTS3</a> extension. There is no known + way to exfiltrate data or crash the application using this bug. +<a href='https://sqlite.org/src/info/0d69f76f0865f962'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2020-13435'>CVE-2020-13435</a> +</td> +<td valign='top'><a href="releaselog/3_32_1.html">3.32.1</a><br>(2020-05-25)</td> +<td valign='top'>Malicious SQL statement causes a read access to a NULL pointer and + denial of service. +<a href='https://www.sqlite.org/src/info/7a5279a25c57adf1'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2020-13434'>CVE-2020-13434</a> +</td> +<td valign='top'><a href="releaselog/3_32_1.html">3.32.1</a><br>(2020-05-25)</td> +<td valign='top'>Malicious SQL statement involving the printf() SQL function results + in an integer overflow which can overwrite the stack with over 2 + billion bytes of 0x30 or 0x20 (ASCII '0' or ' '). + Even though this is a stack overwrite, there is no known way to + redirect control or otherwise escalate the level of harm. + This is a denial-of-service attack only. +<a href='https://www.sqlite.org/src/info/23439ea582241138'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2020-11656'>CVE-2020-11656</a> +</td> +<td valign='top'><a href="releaselog/3_32_0.html">3.32.0</a><br>(2020-05-22)</td> +<td valign='top'>Malicious SQL statement causes read-only use-after-free of memory allocation + if SQLite is compile with -DSQLITE_DEBUG. Does not affect release + builds. +<a href='https://www.sqlite.org/src/info/4722bdab08cb1'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2020-11655'>CVE-2020-11655</a> +</td> +<td valign='top'><a href="releaselog/3_32_0.html">3.32.0</a><br>(2020-05-22)</td> +<td valign='top'>Malicious SQL statement causes a read using an uninitialized pointer + and denial-of-service. +<a href='https://www.sqlite.org/src/info/af4556bb5c285c08'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2020-9327'>CVE-2020-9327</a> +</td> +<td valign='top'><a href="releaselog/3_32_0.html">3.32.0</a><br>(2020-05-22)</td> +<td valign='top'>Malicious SQL statement causes a read using an uninitialized pointer + and denial-of-service +<a href='https://www.sqlite.org/src/info/4374860b29383380'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2020-6405'>CVE-2020-6405</a> +</td> +<td valign='top'><a href="releaselog/3_31_0.html">3.31.0</a><br>(2020-01-22)</td> +<td valign='top'>Malicious SQL statement causes a NULL pointer dereference and + denial-of-service +<a href='https://www.sqlite.org/src/info/1bc783da63d58b05'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-20218'>CVE-2019-20218</a> +</td> +<td valign='top'><a href="releaselog/3_31_0.html">3.31.0</a><br>(2020-01-22)</td> +<td valign='top'>Malicious SQL statement causes an uninitialized pointer read and + denial-of-service. +<a href='https://www.sqlite.org/src/timeline?r=better-error-handling-1'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-19959'>CVE-2019-19959</a> +</td> +<td valign='top'><a href="releaselog/3_31_0.html">3.31.0</a><br>(2020-01-22)</td> +<td valign='top'>Malicious SQL statement causes a NULL pointer dereference + in the <a href="zipfile.html">Zipfile virtual table</a> extension and + denial-of-service. This is only possible when the optional + <a href="zipfile.html">Zipfile virtual table</a> extension is deployed, which is not + the case in default builds. +<a href='https://www.sqlite.org/src/info/cc0fb00a128fd077'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-19926'>CVE-2019-19926</a> +</td> +<td valign='top'><a href="releaselog/3_31_0.html">3.31.0</a><br>(2020-01-22)</td> +<td valign='top'>Malicious SQL statement causes an uninitialized pointer read and + denial-of-service. +<a href='https://www.sqlite.org/src/info/cba2a2a44cdf138a'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-19925'>CVE-2019-19925</a> +</td> +<td valign='top'><a href="releaselog/3_31_0.html">3.31.0</a><br>(2020-01-22)</td> +<td valign='top'>Malicious SQL statement causes a NULL pointer dereference and + in the <a href="zipfile.html">Zipfile virtual table</a> extension and + denial-of-service. This is only possible when the optional + <a href="zipfile.html">Zipfile virtual table</a> extension is deployed, which is not + the case in default builds. +<a href='https://www.sqlite.org/src/info/a80f84b511231204'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-19924'>CVE-2019-19924</a> +</td> +<td valign='top'><a href="releaselog/3_31_0.html">3.31.0</a><br>(2020-01-22)</td> +<td valign='top'>Malicious SQL statement causes an uninitialized pointer reference and + denial-of-service. +<a href='https://www.sqlite.org/src/info/e2bddcd4c55ba3cb'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-19923'>CVE-2019-19923</a> +</td> +<td valign='top'><a href="releaselog/3_31_0.html">3.31.0</a><br>(2020-01-22)</td> +<td valign='top'>Malicious SQL statement causes a NULL pointer dereference and + denial-of-service. +<a href='https://www.sqlite.org/src/info/862974312edf00e9'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-19646'>CVE-2019-19646</a> +</td> +<td valign='top'><a href="releaselog/3_31_0.html">3.31.0</a><br>(2020-01-22)</td> +<td valign='top'>The <a href="pragma.html#pragma_integrity_check">PRAGMA integrity_check</a> command might cause the byte-code for a prepared + statement to loop indefinitely. This might enable a denial-of-service, if the + application has not taken appropriate and prudent steps + to limit the run-time of SQL statements. This is not a vulnerability, as there + are countless perfectly valid SQL queries, especially queries involving + <a href="lang_with.html#recursivecte">recursive common table expressions</a>, that also run essentially forever. +<a href='https://sqlite.org/src/info/bd8c280671ba44a7'>(details)</a></td> +</tr> + +<tr><td valign='top'> +<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-19317'>CVE-2019-19317</a> +</td> +<td valign='top'><a href="releaselog/3_31_0.html">3.31.0</a><br>(2020-01-22)</td> +<td valign='top'>This CVE identifies a bug in a development check-in of + SQLite. The bug never appeared in any official SQLite release. +<a href='https://www.sqlite.org/src/info/6601da58032d18ae'>(details)</a></td> +</tr> + + +</tbody> +</table> +<p align="center"><small><i>This page last modified on <a href="https://sqlite.org/docsrc/honeypot" id="mtimelink" data-href="https://sqlite.org/docsrc/finfo/pages/cves.in?m=c03e1c6ed6">2024-01-16 16:06:37</a> UTC </small></i></p> + |