Detections
Analytics
RHEL 8 : sqlite (RHSA-2020:1810)
critical Nessus Plugin ID 136056
Language:
Synopsis
The remote Red Hat host is missing one or more security updates for sqlite.Description
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1810 advisory.SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use.
Applications that link against SQLite can enjoy the power and flexibility of an SQL database without the administrative hassles of supporting a separate database server.
Security Fix(es):
* sqlite: heap out-of-bound read in function rtreenode() (CVE-2019-8457)
* sqlite: fts3: improve shadow table corruption detection (CVE-2019-13752)
* sqlite: fts3: incorrectly removed corruption check (CVE-2019-13753)
* sqlite: mishandling of certain uses of SELECT DISTINCT involving a LEFT JOIN in flattenSubquery in select.c leads to a NULL pointer dereference (CVE-2019-19923)
* sqlite: incorrect sqlite3WindowRewrite() error handling leads to mishandling certain parser-tree rewriting (CVE-2019-19924)
* sqlite: zipfileUpdate in ext/misc/zipfile.c mishandles a NULL pathname during an update of a ZIP archive (CVE-2019-19925)
* sqlite: mishandles certain uses of INSERT INTO in situations involving embedded '\0' characters in filenames (CVE-2019-19959)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes linked from the References section.
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the RHEL sqlite package based on the guidance in RHSA-2020:1810.See Also
http://www.nessus.org/u?c8d8a275
http://www.nessus.org/u?dd7b3f20
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/errata/RHSA-2020:1810
https://bugzilla.redhat.com/show_bug.cgi?id=1716881
https://bugzilla.redhat.com/show_bug.cgi?id=1781999
https://bugzilla.redhat.com/show_bug.cgi?id=1782000
https://bugzilla.redhat.com/show_bug.cgi?id=1788842
https://bugzilla.redhat.com/show_bug.cgi?id=1788846
Plugin Details
Severity: Critical
ID: 136056
File Name: redhat-RHSA-2020-1810.nasl
Version: 1.12
Type: local
Agent: unix
Family: Red Hat Local Security Checks
Published: 4/28/2020
Updated: 11/7/2024
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
Vendor
Vendor Severity: Moderate
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2019-8457
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:redhat:enterprise_linux:sqlite-libs, p-cpe:/a:redhat:enterprise_linux:lemon, p-cpe:/a:redhat:enterprise_linux:sqlite, p-cpe:/a:redhat:enterprise_linux:sqlite-devel, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:sqlite-doc
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Ease: No known exploits are available
Patch Publication Date: 4/28/2020
Vulnerability Publication Date: 5/30/2019
Reference Information
CVE: CVE-2019-13752, CVE-2019-13753, CVE-2019-19923, CVE-2019-19924, CVE-2019-19925, CVE-2019-19959, CVE-2019-8457