CVE-2019-16168

CVSS V2 Medium 4.3 CVSS V3 Medium 6.5
Description
In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."
Overview
  • CVE ID
  • CVE-2019-16168
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2019-09-09T17:15:13
  • Last Modified Date
  • 2023-03-23T18:11:28
Weakness Enumerations
CWE URL
CWE-369 http://cwe.mitre.org/data/definitions/369.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:* 1 OR 3.8.5 3.29.0
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:* 1 OR 7.3
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:* 1 OR 9.5
cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* 1 OR 11.0.0 11.60.3
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netapp:santricity_unified_manager:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:tenable:nessus_agent:*:*:*:*:*:*:*:* 1 OR 8.2.3
cpe:2.3:a:oracle:communications_design_studio:7.3.4.3.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:communications_design_studio:7.3.5.5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:communications_design_studio:7.4.0.4.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:jdk:1.8.0:update231:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:jre:1.8.0:update231:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:* 1 OR 8.0.0 8.0.18
cpe:2.3:a:oracle:outside_in_technology:8.5.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:oracle:solaris:11:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:oracle:zfs_storage_appliance:8.8:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:N/C:N/I:N/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • NONE
  • Availability Impact
  • PARTIAL
  • Base Score
  • 4.3
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8.6
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • REQUIRED
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • NONE
  • Availability Impact
  • HIGH
  • Base Score
  • 6.5
  • Base Severity
  • MEDIUM
  • Exploitability Score
  • 2.8
  • Impact Score
  • 3.6
References
Reference URL Reference Tags
https://www.sqlite.org/src/timeline?c=98357d8c1263920b Patch Vendor Advisory
https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html Third Party Advisory
https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62 Vendor Advisory
https://security.netapp.com/advisory/ntap-20190926-0003/ Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00033.html Broken Link
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00032.html Broken Link
https://usn.ubuntu.com/4205-1/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/ Mailing List Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html Third Party Advisory
https://security.netapp.com/advisory/ntap-20200122-0003/ Third Party Advisory
https://security.gentoo.org/glsa/202003-16 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html Mailing List Third Party Advisory
https://www.tenable.com/security/tns-2021-08 Third Party Advisory
https://www.tenable.com/security/tns-2021-11
https://www.tenable.com/security/tns-2021-14
https://kc.mcafee.com/corporate/index?page=content&id=SB10365
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2019-16168
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168
History
Created Old Value New Value Data Type Notes
2022-05-10 06:58:50 Added to TrackCVE
2022-12-04 02:25:49 2019-09-09T17:15Z 2019-09-09T17:15:13 CVE Published Date updated
2022-12-04 02:25:49 2021-07-31T08:15:08 CVE Modified Date updated
2022-12-04 02:25:49 Modified Vulnerability Status updated
2023-01-25 21:08:51 Modified Undergoing Analysis Vulnerability Status updated
2023-03-27 14:10:21 2023-03-23T18:11:28 CVE Modified Date updated
2023-03-27 14:10:21 Undergoing Analysis Analyzed Vulnerability Status updated