LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2008-6589
CVE STATUS: Patched
CVE SUMMARY: Multiple cross-site scripting (XSS) vulnerabilities in LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) index.php and (2) LightNEasy.php.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6589

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2008-6590
CVE STATUS: Patched
CVE SUMMARY: Multiple directory traversal vulnerabilities in LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to read arbitrary files via a .. (dot dot) in the page parameter to (1) index.php and (2) LightNEasy.php.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6590

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2008-6592
CVE STATUS: Patched
CVE SUMMARY: thumbsup.php in Thumbs-Up 1.12, as used in LightNEasy "no database" (aka flat) and SQLite 1.2.2 and earlier, allows remote attackers to copy, rename, and read arbitrary files via directory traversal sequences in the image parameter with a modified cache_dir parameter containing a %00 (encoded null byte).
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6592

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2008-6593
CVE STATUS: Patched
CVE SUMMARY: SQL injection vulnerability in LightNEasy/lightneasy.php in LightNEasy SQLite 1.2.2 and earlier allows remote attackers to inject arbitrary PHP code into comments.dat via the dlid parameter to index.php.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6593

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2013-7443
CVE STATUS: Patched
CVE SUMMARY: Buffer overflow in the skip-scan optimization in SQLite 3.8.2 allows remote attackers to cause a denial of service (crash) via crafted SQL statements.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7443

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-3414
CVE STATUS: Patched
CVE SUMMARY: SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3414

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-3415
CVE STATUS: Patched
CVE SUMMARY: The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3415

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-3416
CVE STATUS: Patched
CVE SUMMARY: The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3416

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-3717
CVE STATUS: Patched
CVE SUMMARY: Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3717

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-5895
CVE STATUS: Patched
CVE SUMMARY: Multiple unspecified vulnerabilities in SQLite before 3.8.10.2, as used in Apple iOS before 9, have unknown impact and attack vectors.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5895

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2015-6607
CVE STATUS: Patched
CVE SUMMARY: SQLite before 3.8.9, as used in Android before 5.1.1 LMY48T, allows attackers to gain privileges via a crafted application, aka internal bug 20099586.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6607

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2016-6153
CVE STATUS: Patched
CVE SUMMARY: os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.
CVSS v2 BASE SCORE: 4.6
CVSS v3 BASE SCORE: 5.9
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6153

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2017-10989
CVE STATUS: Patched
CVE SUMMARY: The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10989

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2017-13685
CVE STATUS: Patched
CVE SUMMARY: The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13685

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2017-15286
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c because it fails to consider certain cases where `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never initialized.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15286

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2018-20346
CVE STATUS: Patched
CVE SUMMARY: SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20346

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2018-20505
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20505

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2018-20506
CVE STATUS: Patched
CVE SUMMARY: SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20506

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2018-8740
CVE STATUS: Patched
CVE SUMMARY: In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8740

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-16168
CVE STATUS: Patched
CVE SUMMARY: In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16168

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19242
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19242

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19244
CVE STATUS: Patched
CVE SUMMARY: sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19244

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19317
CVE STATUS: Patched
CVE SUMMARY: lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19317

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19603
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19603

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19645
CVE STATUS: Patched
CVE SUMMARY: alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19645

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19646
CVE STATUS: Patched
CVE SUMMARY: pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19646

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19880
CVE STATUS: Patched
CVE SUMMARY: exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19880

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19923
CVE STATUS: Patched
CVE SUMMARY: flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19923

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19924
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 5.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19924

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19925
CVE STATUS: Patched
CVE SUMMARY: zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19925

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19926
CVE STATUS: Patched
CVE SUMMARY: multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19926

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-19959
CVE STATUS: Patched
CVE SUMMARY: ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19959

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-20218
CVE STATUS: Patched
CVE SUMMARY: selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20218

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-5018
CVE STATUS: Patched
CVE SUMMARY: An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.1
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5018

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-8457
CVE STATUS: Patched
CVE SUMMARY: SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8457

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-9936
CVE STATUS: Patched
CVE SUMMARY: In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9936

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2019-9937
CVE STATUS: Patched
CVE SUMMARY: In SQLite 3.27.2, interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9937

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-11655
CVE STATUS: Patched
CVE SUMMARY: SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11655

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-11656
CVE STATUS: Patched
CVE SUMMARY: In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11656

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13434
CVE STATUS: Patched
CVE SUMMARY: SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13434

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13435
CVE STATUS: Patched
CVE SUMMARY: SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13435

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13630
CVE STATUS: Patched
CVE SUMMARY: ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
CVSS v2 BASE SCORE: 4.4
CVSS v3 BASE SCORE: 7.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13630

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13631
CVE STATUS: Patched
CVE SUMMARY: SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13631

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13632
CVE STATUS: Patched
CVE SUMMARY: ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13632

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-13871
CVE STATUS: Patched
CVE SUMMARY: SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13871

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-15358
CVE STATUS: Patched
CVE SUMMARY: In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15358

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-35525
CVE STATUS: Patched
CVE SUMMARY: In SQlite 3.31.1, a potential null pointer derreference was found in the INTERSEC query processing.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35525

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-35527
CVE STATUS: Patched
CVE SUMMARY: In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE for views that have a nested FROM clause.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35527

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2020-9327
CVE STATUS: Patched
CVE SUMMARY: In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-9327

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2021-20227
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in SQLite's SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat from this vulnerability is to system availability.
CVSS v2 BASE SCORE: 2.1
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20227

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2021-31239
CVE STATUS: Patched
CVE SUMMARY: An issue found in SQLite SQLite3 v.3.35.4 that allows a remote attacker to cause a denial of service via the appendvfs.c function.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-31239

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2021-36690
CVE STATUS: Patched
CVE SUMMARY: A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-36690

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2021-45346
CVE STATUS: Patched
CVE SUMMARY: A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.
CVSS v2 BASE SCORE: 4.0
CVSS v3 BASE SCORE: 4.3
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45346

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2022-35737
CVE STATUS: Patched
CVE SUMMARY: SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35737

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2022-46908
CVE STATUS: Patched
CVE SUMMARY: SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-46908

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2023-7104
CVE STATUS: Patched
CVE SUMMARY: A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.
CVSS v2 BASE SCORE: 5.2
CVSS v3 BASE SCORE: 7.3
VECTOR: ADJACENT_NETWORK
VECTORSTRING: AV:A/AC:L/Au:S/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-7104

LAYER: meta
PACKAGE NAME: sqlite3
PACKAGE VERSION: 3_3.45.1
CVE: CVE-2024-0232
CVE STATUS: Patched
CVE SUMMARY: A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0232