CVE-2015-3416 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2015-3416?

CVE-2015-3416 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2015-3416?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Sqlite Sqlite, Debian Debian Linux, Apple Mac Os X, Apple Watchos.

Vulnerability Description

The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.

CVSS Score

7.5

HIGH

AV:N/AC:L/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Canonical	Ubuntu Linux	12.04
Sqlite	Sqlite	<= 3.8.8.3
Debian	Debian Linux	8.0
Apple	Mac Os X	<= 10.6.8
Apple	Watchos	<= 1.0.1
Php	Php	>= 5.4.0, < 5.4.42

Related Weaknesses (CWE)

CWE-190

References

http://lists.apple.com/archives/security-announce/2015/Sep/msg00005.htmlMailing ListThird Party Advisory
http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.htmlMailing ListThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1634.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-1635.htmlThird Party Advisory
http://seclists.org/fulldisclosure/2015/Apr/31Mailing ListThird Party AdvisoryVDB Entry
http://www.debian.org/security/2015/dsa-3252Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2015:217Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatchThird Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlThird Party Advisory
http://www.securityfocus.com/bid/74228Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1033703Third Party AdvisoryVDB Entry
http://www.sqlite.org/src/info/c494171f77dc2e5e04cb6d865e688448f04e5920Vendor Advisory
http://www.ubuntu.com/usn/USN-2698-1Third Party Advisory
https://security.gentoo.org/glsa/201507-05Third Party Advisory
https://support.apple.com/HT205213Third Party Advisory

FAQ

What is CVE-2015-3416?

CVE-2015-3416 is a vulnerability with a CVSS score of 7.5 (HIGH). The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause...

How severe is CVE-2015-3416?

CVE-2015-3416 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-3416?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Sqlite Sqlite, Debian Debian Linux, Apple Mac Os X, Apple Watchos.