CVE-2019-19880

HIGH

Sqlite < 8.0.19 - NULL Pointer Dereference

Title source: rule
STIX 2.1

Description

exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.

References (10)

Core 10
Core References
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200114-0001/
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00010.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0514
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4638
Broken Link vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4298-1/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2020.html
Patch, Third Party Advisory x_refsource_confirm
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Scores

CVSS v3 7.5
EPSS 0.0844
EPSS Percentile 92.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-476
Status published
Products (12)
debian/debian_linux 9.0
debian/debian_linux 10.0
netapp/cloud_backup
opensuse/backports_sle 15.0 sp1
opensuse/leap 15.1
oracle/mysql_workbench < 8.0.19
redhat/enterprise_linux_desktop 6.0
redhat/enterprise_linux_server 6.0
redhat/enterprise_linux_workstation 6.0
siemens/sinec_infrastructure_network_services < 1.0.1.1
... and 2 more
Published Dec 18, 2019
Tracked Since Feb 18, 2026