Serious SQLite Remote Code Execution Vulnerability Discovered

  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    1
    Share

As reported recently, a researcher has found a serious security flaw in SQLite. Exploiting this flaw could allow for an attacker to execute remote code on a target system. Fortunately vendors have now patched this SQLite vulnerability.

SQLite Vulnerability Allowing RCE

Researcher Cory Duplantis from Cisco Talos found a serious security vulnerability in SQLite. Upon exploit, the flaw could allow a potential attacker to execute remote codes on the target device.

Describing this SQLite vulnerability in their advisory, Cisco Talos stated,

A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution.

As reported, the vulnerability existed in the window function functionality of SQLite3 3.26.0. A potential attacker could easily trigger this flaw simply by sending maliciously crafted SQL command.

An attacker can send a malicious SQL command to trigger this vulnerability.

After the use after free vulnerability appeared, the attacker could then gain access to the affected system, corrupt data, and execute codes remotely.

The vulnerability has received the CVE number CVE-2019-5018, with a CVSS score of 8.1. The technical details regarding the existence and exploitation of this vulnerability are available in the advisory.

Vendor Patched The Flaw

According to the timeline mentioned in the advisory, the vendor disclosure of this vulnerability took place on February 5, 2019. The researcher tested SQLite versions 3.26.0 and 3.27.0.

The vendors subsequently patched the flaw with the release of the version 3.28.0.

SQLite is a SQL database engine implementation library that powers most browsers, hardware devices, mobile devices, and user apps. It is a fast, small, and dependable database solution.

Do share with us your thoughts in the comment section.

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!