CVE-2017-10989

Name: CVE-2017-10989
Creator: NVD / NIST
Published: 2017-07-07T12:29:00.197+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 8.61%

Last modified Jun 17, 2026

CVE-2017-10989 is a vulnerability of currently unknown severity. The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.. EPSS estimates a 8.61% chance of exploitation in the next 30 days.

Description

The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.

Metrics

EPSS Probability

8.61%

94.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-125

Affected Software

Vendor	Product	Versions
Sqlite	Sqlite	<= 3.19.3

References

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00050.html
http://marc.info/?l=sqlite-users&m=149933696214713&w=2Patch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.securityfocus.com/bid/99502Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1039427
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405Permissions Required
https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937Issue Tracking, Patch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/01/msg00009.html
https://sqlite.org/src/info/66de6f4aIssue Tracking, Patch, Vendor Advisory
https://sqlite.org/src/vpatch?from=0db20efe201736b3&to=66de6f4a9504ec26Patch, Vendor Advisory
https://support.apple.com/HT208112
https://support.apple.com/HT208113
https://support.apple.com/HT208115
https://support.apple.com/HT208144
https://usn.ubuntu.com/4019-1/
https://usn.ubuntu.com/4019-2/
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00050.html
http://marc.info/?l=sqlite-users&m=149933696214713&w=2Patch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.securityfocus.com/bid/99502Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1039427
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405Permissions Required
https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937Issue Tracking, Patch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/01/msg00009.html
https://sqlite.org/src/info/66de6f4aIssue Tracking, Patch, Vendor Advisory
https://sqlite.org/src/vpatch?from=0db20efe201736b3&to=66de6f4a9504ec26Patch, Vendor Advisory
https://support.apple.com/HT208112
https://support.apple.com/HT208113
https://support.apple.com/HT208115
https://support.apple.com/HT208144
https://usn.ubuntu.com/4019-1/
https://usn.ubuntu.com/4019-2/

Timeline

Published: Jul 7, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-10989?

How severe is CVE-2017-10989?

Severity scoring for CVE-2017-10989 is pending analysis. The EPSS model estimates a 8.61% probability of exploitation in the next 30 days.

How do I fix CVE-2017-10989?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-10989?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST