Monday, February 17, 2025
HomeCyber Security NewsSQLite Vulnerability allows Hackers to Remotely Execute Code on the Vulnerable Device

SQLite Vulnerability allows Hackers to Remotely Execute Code on the Vulnerable Device

Published on

SIEM as a Service

Follow Us on Google News

Talos security researchers discovered a Use After Free vulnerability in SQLite, allows attackers to send malicious SQL commands to trigger the vulnerability.

The free vulnerability exists in the window function functionality of Sqlite3; the flaw can be tracked as CVE-2019-5018; it affects SQLite 3.26.0, 3.27.0 and receives 8.1 – CVSS:3.0 score.

SQLite is a favorite library used in implementing SQL database engine; it is used extensively in a number of devices including mobile devices, browsers, hardware devices, and user applications.

“SQLite implements the Window Functions feature of SQL which allows queries over a subset, or “window,” of rows. After parsing a SELECT statement that contains a window function, the SELECT statement is transformed using the sqlite3WindowRewrite function.”

The master objected retriwed from the SELECt objects and rewrites for easier processing. Researchers discovered that during deletion of expression, “if the expression is marked as a Window Function, the associated Window object is deleted as well.”

While deletion of windows, it’s associated partition of the window also get deleted, “After this partition is deleted, it is then reused in exprListAppendList [5], causing a use after free vulnerability, resulting in a denial of service,” reads vulnerability report.

“If an attacker can control this memory after the free, there is an opportunity to corrupt more data, potentially leading to code execution.”

Vulnerability Disclosure Timeline

2019-02-05 – Vendor Disclosure
2019-03-07 – 30 day follow up with vendor; awaiting moderator approval
2019-03-28 – Vendor patched
2019-05-09 – Public Release

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Critical SQLite Bug Affected all Modern Operating Systems and Software

phpMyAdmin 4.8.5 Released with Fixes for SQL injection and Arbitrary File Read Vulnerability

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Exploit Microsoft Teams Invites to Gain Unauthorized Access

The Microsoft Threat Intelligence Center (MSTIC) has uncovered an ongoing and sophisticated phishing campaign...

Meta’s Bug Bounty Initiative Pays $2.3 Million to Security Researchers in 2024

Meta's commitment to cybersecurity took center stage in 2024 as the tech giant awarded...

Google Chrome Introduces AI to Block Malicious Websites and Downloads

Google has taken a significant step in enhancing internet safety by integrating artificial intelligence...

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Exploit Microsoft Teams Invites to Gain Unauthorized Access

The Microsoft Threat Intelligence Center (MSTIC) has uncovered an ongoing and sophisticated phishing campaign...

Meta’s Bug Bounty Initiative Pays $2.3 Million to Security Researchers in 2024

Meta's commitment to cybersecurity took center stage in 2024 as the tech giant awarded...

Google Chrome Introduces AI to Block Malicious Websites and Downloads

Google has taken a significant step in enhancing internet safety by integrating artificial intelligence...