| Title | Remote Code Execution Vulnerability Impacts SQLite | |
| Date | Tuesday May 14 2019, @09:26PM | |
| Author | martyb | |
| Topic | ||
| from the not-even-remotely-funny dept. | ||
https://www.securityweek.com/remote-code-execution-vulnerability-impacts-sqlite
A use-after-free vulnerability in SQLite could be exploited by an attacker to remotely execute code on a vulnerable machine, Cisco Talos security researchers have discovered.
Tracked as CVE-2019-5018 and featuring a CVSS score of 8.1, the vulnerability resides in the window function functionality of Sqlite3 3.26.0 and 3.27.0.
To trigger the flaw, an attacker would need to send a specially crafted SQL command to the victim, which could allow them to execute code remotely.
The popular SQLite library, a client-side database management system, is widely used in mobile devices, browsers, hardware devices, and user applications, Talos notes.
SQLite implements the Window Functions feature of SQL, allowing queries over a subset, or "window," of rows, and the newly revealed vulnerability was found in the "window" function.
The security researchers discovered that, after the parsing of a SELECT statement that contains a window function, in certain conditions, the expression-list held by the SELECT object is rewritten and the master window object is used during the process.
| Links |
printed from SoylentNews, Remote Code Execution Vulnerability Impacts SQLite on 2024-04-25 19:02:37