- Magellan 2.0 is a set of five vulnerabilities.
- The vulnerabilities are caused by improper input validation in SQL commands the SQLite database receives from a third-party.
A new set of SQLite vulnerabilities affecting Chrome versions prior to 79.03945.79 has been uncovered by security researchers. It is dubbed as Magellan 2.0 and is a collection of five vulnerabilities.
What is the impact?
- Discovered by the Tencent Blade security team, the newly discovered Magellan 2.0 vulnerabilities are caused by improper input validation in SQL commands the SQLite database receives from a third-party.
- An attacker can craft an SQL operation that contains malicious code. When the SQLite database engine reads this SQLite operation, it can perform commands on behalf of the attacker.
- By abusing Magellan 2.0, an attacker can launch remote code execution, leak program memory or cause a program to crash.
What are the vulnerabilities?
The vulnerabilities that make up the Magellan 2.0 are tracked as CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, and CVE-2019-13753.
Which devices are affected?
All apps that use an SQLite database are vulnerable to Magellan 2.0. The vulnerabilities also affect browsers that have WebSQL enabled and meet one of the following conditions:
- Smart devices using an old version of Chrome/Chromium.
- Browsers built with an old version of Chromium/Webview.
- Android Apps that uses an old version of Webview and can access any web page.
- Software that uses the old version of Chromium and can access any web page.
How to resolve the issue?
The five Magellan 2.0 vulnerabilities have been fixed in Google Chrome 79.0.3945.79. The SQLite project has also fixed the bugs in a series of patches on December 13, 2019. However, these fixes have not been included in a stable SQLite version v3.30.1, released on December 10.