Division by zero in sqlite (Alpine package)



| Updated: 2021-06-20
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-16168
CWE-ID CWE-369
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
 sqlite (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Division by zero

EUVDB-ID: #VU23188

Risk: Low

CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2019-16168

CWE-ID: CWE-369 - Divide By Zero

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a division by zero error within the whereLoopAddBtreeIndex in sqlite3.c due to improper input validation in the sqlite_stat1 sz field. A remote attacker can pass specially crafted data to the application, trigger division by zero error and crash the vulnerable application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

sqlite (Alpine package): 3.20.1-r0 - 3.25.3-r1

sqlite (Alpine package):

CPE2.3 External links

https://git.alpinelinux.org/aports/commit/?id=0aa5cea84fa7029c83cff7e6fab3046d80aa65e0
https://git.alpinelinux.org/aports/commit/?id=1833ad9258bf53ebd1f42ccecc5bbf2696c7e19a
https://git.alpinelinux.org/aports/commit/?id=18528a54c8a02fb5f59a2e8fb70ec0b83486acc6
https://git.alpinelinux.org/aports/commit/?id=d5f87185a9e0878348a7b8340fbff4677e23d996


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###