Kees Nuyt, on Thursday, November 21, 2019 03:48 PM, wrote... > > > Thanks, Jose. > > I see no CVE entered by the OP, but maybe I missed something.
Yes, you are right. After pasting it, I went through the top 5 and none of these aren't/weren't the one. Apologies. I thought that by searching on sqlite the top 5 or so would be the one that was just opened, but for some reason, it was not. Sorry about that. Fast fingers Jose. josé > A quick look to your list : > > > Name Description > > CVE-2019-9937, on > > In SQLite 3.27.2, interleaving reads and writes in a single transaction with > > an fts5 virtual table will lead to a NULL Pointer Dereference in > > fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and > > ext/fts5/fts5_index.c. > > Resolved 2019-03-18 > > > > CVE-2019-9936, on > > In SQLite 3.27.2, running fts5 prefix queries inside a transaction could > > trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, > > which > > may lead to an information leak. This is related to ext/fts5/fts5_hash.c. > > Resolved 2019-03-18 > > > > CVE-2019-5827, on > > Integer overflow in SQLite via WebSQL in Google Chrome prior to > > 74.0.3729.131 > > allowed a remote attacker to potentially exploit heap corruption via a > > crafted > > HTML page. > > Resolved 2019-04-13 > > > > CVE-2019-3784, on > > Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session > > that can be spoofed. When deployed on cloud foundry with multiple instances > > using the default embedded SQLite database, a remote authenticated malicious > > user can switch sessions to another user with the same session id. > > Application error > > > > CVE-2019-1616 > > 8<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168> > > In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a > > browser or other application because of missing validation of a sqlite_stat1 > > sz field, aka a "severe division by zero in the query planner." > > Resolved 2019-08-15 > > > > CVE-2019-1075 > > 2<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10752> > > Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to > > SQL Injection due to sequelize.json() helper function not escaping values > > properly when formatting sub paths for JSON queries for MySQL, MariaDB and > > SQLite. > > Application error > > > > CVE-2018-8740, on > > In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE > > TABLE AS statement could cause a NULL pointer dereference, related to > > build.c > > and prepare.c. > > Resolved 2018-03-16 > > > > CVE-2018-7774, on > > The vulnerability exists within processing of localize.php in Schneider > > Electric U.motion Builder software versions prior to v1.3.4. The underlying > > SQLite database query is subject to SQL injection on the username input > > parameter. > > Application error > > > -- > Regards, > Kees Nuyt > _______________________________________________ > sqlite-users mailing list > [email protected] > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users _______________________________________________ sqlite-users mailing list [email protected] http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
