As reported recently, a researcher has found a serious security flaw in SQLite. Exploiting this flaw could allow for an attacker to execute remote code on a target system. Fortunately vendors have now patched this SQLite vulnerability.
SQLite Vulnerability Allowing RCE
Researcher Cory Duplantis from Cisco Talos found a serious security vulnerability in SQLite. Upon exploit, the flaw could allow a potential attacker to execute remote codes on the target device.
Describing this SQLite vulnerability in their advisory, Cisco Talos stated,
A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution.
As reported, the vulnerability existed in the window function functionality of SQLite3 3.26.0. A potential attacker could easily trigger this flaw simply by sending maliciously crafted SQL command.
An attacker can send a malicious SQL command to trigger this vulnerability.
After the use after free vulnerability appeared, the attacker could then gain access to the affected system, corrupt data, and execute codes remotely.
The vulnerability has received the CVE number CVE-2019-5018, with a CVSS score of 8.1. The technical details regarding the existence and exploitation of this vulnerability are available in the advisory.
Vendor Patched The Flaw
According to the timeline mentioned in the advisory, the vendor disclosure of this vulnerability took place on February 5, 2019. The researcher tested SQLite versions 3.26.0 and 3.27.0.
The vendors subsequently patched the flaw with the release of the version 3.28.0.
SQLite is a SQL database engine implementation library that powers most browsers, hardware devices, mobile devices, and user apps. It is a fast, small, and dependable database solution.
Do share with us your thoughts in the comment section.