SQLite 3.30.1 Vulnerability in SELECT DISTINCT with LEFT JOIN
CVE-2019-19923

7.5HIGH

Key Information:

Vendor: Sqlite
Status: Sqlite
Vendor: CVE Published:; 24 December 2019

What is CVE-2019-19923?

SQLite version 3.30.1 contains a vulnerability in the flattenSubquery function within the select.c file. This issue arises when SELECT DISTINCT statements involving LEFT JOIN operations are executed, particularly when the right-hand side of the join is a view. As a result, this can lead to a NULL pointer dereference or potentially incorrect query results, which may impact the integrity of data retrieval processes.

References

https://github.com/sqlite/sqlite/commit/396afe6f6aa90a313...

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20200114-0003/

x_refsource_CONFIRM

http://lists.opensuse.org/opensuse-security-announce/2020...

vendor-advisoryx_refsource_SUSE

EPSS Score

13% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 24, 2019
Vulnerability Reserved
Dec 23, 2019

Sqlite

What is CVE-2019-19923?

References

EPSS Score

CVSS V3.1

Timeline