CVE-2019-19880: SQL Injection

Published Dec 18, 2019
·
Updated

exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.

Other sources

SQLite is vulnerable to a denial of service, caused by an invalid pointer dereference in exprListAppendList in window.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.

IBM

Affected Software

18 affected componentsFixes available
IBM Data Risk Manager<=2.0.6
SQLite SQLite=3.30.1
NetApp Cloud Backup
Debian Debian Linux=9.0
Debian Debian Linux=10.0
SUSE Package Hub
SUSE Linux Enterprise=12.0
redhat Enterprise Linux Desktop=6.0
redhat Enterprise Linux Server=6.0
redhat Enterprise Linux Workstation=6.0
openSUSE Backports SLE=15.0-sp1
openSUSE Leap=15.1
Oracle MySQL Workbench<=8.0.19
Siemens Sinec Infrastructure Network Services<1.0.1.1
All of the following
SUSE Package Hub
SUSE Linux Enterprise=12.0
debian/chromium
120.0.6099.224-1~deb11u1143.0.7499.169-1~deb12u1146.0.7680.80-1~deb12u1145.0.7632.159-1~deb13u1146.0.7680.80-1~deb13u1146.0.7680.80-1
debian/sqlite3
3.34.1-33.34.1-3+deb11u13.40.1-2+deb12u23.46.1-7+deb13u13.46.1-9

Remediation

Patch Available

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch Available

https://github.com/sqlite/sqlite/commit/75e95e1fcd52d3ec8282edb75ac8cd0814095d54

Patch Available

https://www.oracle.com/security-alerts/cpuapr2020.html

Event History

Dec 18, 2019
CVE Published
via MITRE·05:07 AM
Data Sourced
via MITRE·05:07 AM
Description
Data Sourced
via NVD·06:15 AM
RemedyDescriptionSeverityWeaknessAffected Software
Dec 30, 2019
Data Sourced
via Red Hat·01:49 PM
DescriptionSeverityAffected Software
Jan 11, 2024
Data Sourced
via Launchpad·11:25 PM
Description
Feb 20, 2026
Data Sourced
via Ubuntu·11:05 PM
RemedyDescriptionSeverityAffected Software
Mar 17, 2026
Data Sourced
via Debian·11:25 PM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2019-19880?

CVE-2019-19880 is a vulnerability in SQLite that allows attackers to trigger an invalid pointer dereference, leading to a denial of service.

2

How severe is CVE-2019-19880?

CVE-2019-19880 has a severity score of 7.5 out of 10, indicating a high severity.

3

Which software products are affected by CVE-2019-19880?

IBM Data Risk Manager, Debian, Chromium, SQLite, SQLite3, Netapp Cloud Backup, Suse Package Hub, SUSE Linux Enterprise, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Workstation, openSUSE Backports SLE, openSUSE Leap, Oracle MySQL Workbench, Siemens Sinec Infrastructure Network Services, and Ubuntu.

4

How can I fix CVE-2019-19880 in IBM Data Risk Manager?

To fix CVE-2019-19880 in IBM Data Risk Manager, update to version 2.0.6 or later. Apply the patch provided by IBM: [IBM Security Fix Central](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.4.1&platform=Linux&function=all)

5

How can I fix CVE-2019-19880 in Debian?

To fix CVE-2019-19880 in Debian, update the 'sqlite' or 'sqlite3' package to the latest version available. Check the Debian security advisory for detailed information.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203