{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-08-23T00:06:20", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg114382.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg114394.html"}, {"tags": ["x_refsource_MISC"], "url": "https://sqlite.org/src/info/b3fa58dd7403dbd4"}, {"name": "107562", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/107562"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20190416-0005/"}, {"name": "openSUSE-SU-2019:1372", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00026.html"}, {"name": "FEDORA-2019-8641591b3c", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXD2GYJVTDGEQPUNMMMC5TB7MQXOBBMO/"}, {"name": "FEDORA-2019-a01751837d", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N66U5PY5UJU4XBFZJH7QNKIDNAVIB4OP/"}, {"name": "USN-4019-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4019-1/"}, {"name": "GLSA-201908-09", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201908-09"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"name": "[debian-lts-announce] 20200822 [SECURITY] [DLA 2340-1] sqlite3 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-9936", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg114382.html", "refsource": "MISC", "url": "https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg114382.html"}, {"name": "https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg114394.html", "refsource": "MISC", "url": "https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg114394.html"}, {"name": "https://sqlite.org/src/info/b3fa58dd7403dbd4", "refsource": "MISC", "url": "https://sqlite.org/src/info/b3fa58dd7403dbd4"}, {"name": "107562", "refsource": "BID", "url": "http://www.securityfocus.com/bid/107562"}, {"name": "https://security.netapp.com/advisory/ntap-20190416-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20190416-0005/"}, {"name": "openSUSE-SU-2019:1372", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00026.html"}, {"name": "FEDORA-2019-8641591b3c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXD2GYJVTDGEQPUNMMMC5TB7MQXOBBMO/"}, {"name": "FEDORA-2019-a01751837d", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N66U5PY5UJU4XBFZJH7QNKIDNAVIB4OP/"}, {"name": "USN-4019-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4019-1/"}, {"name": "GLSA-201908-09", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-09"}, {"name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "refsource": "MISC", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"name": "https://www.oracle.com/security-alerts/cpujan2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"name": "[debian-lts-announce] 20200822 [SECURITY] [DLA 2340-1] sqlite3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:01:55.188Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg114382.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg114394.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://sqlite.org/src/info/b3fa58dd7403dbd4"}, {"name": "107562", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/107562"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20190416-0005/"}, {"name": "openSUSE-SU-2019:1372", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00026.html"}, {"name": "FEDORA-2019-8641591b3c", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXD2GYJVTDGEQPUNMMMC5TB7MQXOBBMO/"}, {"name": "FEDORA-2019-a01751837d", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N66U5PY5UJU4XBFZJH7QNKIDNAVIB4OP/"}, {"name": "USN-4019-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4019-1/"}, {"name": "GLSA-201908-09", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201908-09"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"name": "[debian-lts-announce] 20200822 [SECURITY] [DLA 2340-1] sqlite3 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-9936", "datePublished": "2019-03-22T07:07:04", "dateReserved": "2019-03-22T00:00:00", "dateUpdated": "2024-08-04T22:01:55.188Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sqlite:sqlite:3.27.2:*:*:*:*:*:*:*", "matchCriteriaId": "C1D25C0F-15FD-444C-A0BC-D390862CFD15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c."}, {"lang": "es", "value": "En SQLite 3.27.2, la ejecuci\u00f3n de las consultas de prefijo fts5 en una transacci\u00f3n podr\u00eda desencadenar una sobrelectura de b\u00fafer basada en memoria din\u00e1mica (heap) en fts5HashEntrySort en sqlite3.c, lo que podr\u00eda conducir a una fuga de informaci\u00f3n. Esto est\u00e1 relacionado con ext/fts5/fts5_hash.c."}], "id": "CVE-2019-9936", "lastModified": "2023-11-07T03:13:49.123", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-03-22T08:29:00.607", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00026.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/107562"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXD2GYJVTDGEQPUNMMMC5TB7MQXOBBMO/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N66U5PY5UJU4XBFZJH7QNKIDNAVIB4OP/"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/201908-09"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190416-0005/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://sqlite.org/src/info/b3fa58dd7403dbd4"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/4019-1/"}, {"source": "cve@mitre.org", "url": "https://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg114382.html"}, {"source": "cve@mitre.org", "url": "https://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg114394.html"}, {"source": "cve@mitre.org", "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"source": "cve@mitre.org", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "sqlite: heap-based buffer over-read in function fts5HashEntrySort in sqlite3.c", "id": "1692365", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1692365"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-122", "details": ["In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c."], "name": "CVE-2019-9936", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "sqlite", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "sqlite", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "sqlite", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "sqlite", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2019-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-9936\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-9936"], "statement": "This issue did not affect the versions of sqlite as shipped with Red Hat Enterprise Linux 6 and 7 as they did not include support for fts5.", "threat_severity": "Low"}