CVE-2015-3415 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2015-3415?

CVE-2015-3415 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2015-3415?

Check the references section above for vendor advisories and patch information. Affected products include: Apple Mac Os X, Apple Watchos, Debian Debian Linux, Canonical Ubuntu Linux, Sqlite Sqlite.

Vulnerability Description

The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.

CVSS Score

7.5

HIGH

AV:N/AC:L/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Apple	Mac Os X	10.10.5
Apple	Watchos	1.0.1
Debian	Debian Linux	8.0
Canonical	Ubuntu Linux	12.04
Sqlite	Sqlite	<= 3.8.8.3
Php	Php	>= 5.4.0, < 5.4.42

Related Weaknesses (CWE)

CWE-404

References

http://lists.apple.com/archives/security-announce/2015/Sep/msg00005.htmlMailing ListThird Party Advisory
http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.htmlMailing ListThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1635.htmlThird Party Advisory
http://seclists.org/fulldisclosure/2015/Apr/31Mailing ListThird Party AdvisoryVDB Entry
http://www.debian.org/security/2015/dsa-3252Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2015:217Broken Link
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatchThird Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlThird Party Advisory
http://www.securityfocus.com/bid/74228Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1033703Third Party AdvisoryVDB Entry
http://www.ubuntu.com/usn/USN-2698-1Third Party Advisory
https://security.gentoo.org/glsa/201507-05Third Party Advisory
https://support.apple.com/HT205213Third Party Advisory
https://support.apple.com/HT205267Third Party Advisory
https://www.sqlite.org/src/info/02e3c88fbf6abdcf3975fb0fb71972b0ab30da30Vendor Advisory

FAQ

What is CVE-2015-3415?

CVE-2015-3415 is a vulnerability with a CVSS score of 7.5 (HIGH). The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free oper...

How severe is CVE-2015-3415?

CVE-2015-3415 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-3415?

Check the references section above for vendor advisories and patch information. Affected products include: Apple Mac Os X, Apple Watchos, Debian Debian Linux, Canonical Ubuntu Linux, Sqlite Sqlite.