sqlite sqlite 跨界内存读

admin

0
文章

0
评论

2023-11-30 20:19:04 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 sqlite sqlite 跨界内存读

CVE编号

CVE-2021-36690

利用情况

POC 已公开

补丁情况

没有补丁

披露时间

2021-08-24

漏洞描述

** DISPUTED ** A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.

解决建议

更新至最新版本

参考链接
http://seclists.org/fulldisclosure/2022/Oct/28
http://seclists.org/fulldisclosure/2022/Oct/39
http://seclists.org/fulldisclosure/2022/Oct/41
http://seclists.org/fulldisclosure/2022/Oct/47
http://seclists.org/fulldisclosure/2022/Oct/49
https://support.apple.com/kb/HT213446
https://support.apple.com/kb/HT213486
https://support.apple.com/kb/HT213487
https://support.apple.com/kb/HT213488
https://www.sqlite.org/forum/forumpost/718c0a8d17

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	sqlite	sqlite	3.36.0	-
	运行在以下环境
	系统	debian_10	sqlite	*		Up to (including) 3.27.2-3+deb10u1
	运行在以下环境
	系统	debian_11	sqlite3	*		Up to (including) 3.34.1-3
	运行在以下环境
	系统	debian_12	sqlite3	*		Up to (excluding) 3.36.0-2
	运行在以下环境
	系统	debian_sid	sqlite3	*		Up to (excluding) 3.36.0-2
	运行在以下环境
	系统	opensuse_5.2	libsqlite3	*		Up to (excluding) 0-3.39.3-150000.3.17.1
	运行在以下环境
	系统	opensuse_Leap_15.3	sqlite3-devel	*		Up to (excluding) 3.39.3-150000.3.17.1
	运行在以下环境
	系统	opensuse_Leap_15.4	sqlite3-devel	*		Up to (excluding) 3.39.3-150000.3.17.1
	运行在以下环境
	系统	suse_12_SP5	sqlite3	*		Up to (excluding) 0-3.39.3-9.23.1
	运行在以下环境
	系统	ubuntu_18.04	sqlite3	*		Up to (excluding) 3.22.0-1ubuntu0.5
	运行在以下环境
	系统	ubuntu_20.04	sqlite3	*		Up to (excluding) 3.31.1-4ubuntu0.3
	运行在以下环境
	系统	ubuntu_21.10	sqlite3	*		Up to (excluding) 3.35.5-1ubuntu0.1
	运行在以下环境
	系统	unionos_d	sqlite3	*		Up to (excluding) 3.39.3-1