CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Sqlite » Sqlite » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-20227 416 DoS Exec Code 2021-03-23 2021-12-10
2.1
None Local Low Not required None None Partial
A flaw was found in SQLite's SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat from this vulnerability is to system availability.
2 CVE-2020-15358 787 Overflow 2020-06-27 2022-05-12
2.1
None Local Low Not required None None Partial
In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.
3 CVE-2020-13632 476 2020-05-27 2022-05-13
2.1
None Local Low Not required None None Partial
ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
4 CVE-2020-13631 2020-05-27 2022-05-13
2.1
None Local Low Not required None Partial None
SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
5 CVE-2020-13630 416 2020-05-27 2022-05-13
4.4
None Local Medium Not required Partial Partial Partial
ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
6 CVE-2020-13435 476 2020-05-24 2021-06-14
2.1
None Local Low Not required None None Partial
SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.
7 CVE-2020-13434 190 Overflow 2020-05-24 2022-05-12
2.1
None Local Low Not required None None Partial
SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.
8 CVE-2020-11656 416 2020-04-09 2022-04-08
7.5
None Remote Low Not required Partial Partial Partial
In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.
9 CVE-2020-11655 665 DoS 2020-04-09 2022-04-08
5.0
None Remote Low Not required None None Partial
SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.
10 CVE-2019-19646 754 2019-12-09 2022-04-15
7.5
None Remote Low Not required Partial Partial Partial
pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.
11 CVE-2019-19645 674 2019-12-09 2022-04-15
2.1
None Local Low Not required None None Partial
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
12 CVE-2019-16168 369 2019-09-09 2021-07-31
4.3
None Remote Medium Not required None None Partial
In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."
13 CVE-2019-8457 125 2019-05-30 2021-07-31
7.5
None Remote Low Not required Partial Partial Partial
SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.
14 CVE-2018-20506 190 Exec Code Overflow 2019-04-03 2021-07-31
6.8
None Remote Medium Not required Partial Partial Partial
SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.
15 CVE-2018-20505 89 DoS Sql 2019-04-03 2019-06-19
5.0
None Remote Low Not required None None Partial
SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases).
16 CVE-2018-20346 190 Exec Code Overflow 2018-12-21 2021-07-31
6.8
None Remote Medium Not required Partial Partial Partial
SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.
17 CVE-2018-8740 476 2018-03-17 2021-06-29
5.0
None Remote Low Not required None None Partial
In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.
18 CVE-2017-10989 125 2017-07-07 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.
19 CVE-2016-6153 20 DoS +Info 2016-09-26 2018-10-30
4.6
None Local Low Not required Partial Partial Partial
os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.
20 CVE-2015-3717 120 DoS Exec Code Overflow 2015-07-03 2020-11-20
7.5
None Remote Low Not required Partial Partial Partial
Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.
21 CVE-2015-3416 119 DoS Overflow 2015-04-24 2018-07-19
7.5
None Remote Low Not required Partial Partial Partial
The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.
22 CVE-2015-3415 20 DoS 2015-04-24 2018-07-19
7.5
None Remote Low Not required Partial Partial Partial
The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.
23 CVE-2015-3414 20 DoS 2015-04-24 2018-07-19
7.5
None Remote Low Not required Partial Partial Partial
SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.
Total number of vulnerabilities : 23   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.