VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 17, 2020· Updated Aug 5, 2024

CVE-2019-20919

CVE-2019-20919

Description

A NULL pointer dereference in the DBI module before 1.643 for Perl allows denial of service via a crafted Profile attribute.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in the DBI module before 1.643 for Perl allows denial of service via a crafted Profile attribute.

Vulnerability

The vulnerability is a NULL pointer dereference in the dbi_profile() function of the Perl DBI module (versions before 1.643). The code checks if a profile variable is NULL but then calls SvOK(profile) without guarding against NULL, leading to a crash. [2][3]

Exploitation

An attacker can exploit this by providing a non-hash reference as the Profile attribute to a database handle, causing the vulnerable code path to be triggered. The attacker does not need authentication if they can influence the profile attribute. [2]

Impact

Successful exploitation causes a denial of service due to a segmentation fault (NULL pointer dereference). This can crash the Perl process. [2]

Mitigation

The issue is fixed in DBI version 1.643, released on or before the commit date (2020-09-17). Upgrade to version 1.643 or later. Users unable to upgrade should ensure that the Profile attribute is not set to a non-hash reference. [2][3]

References
  1. Fix a NULL profile dereference in dbi_profile() · perl5-dbi/dbi@eca7d7c
  2. Client Challenge

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

30

Patches

2
4a68c5a79ab8

Bump VERSION to 1.643

https://github.com/perl5-dbi/dbiTim BunceJan 31, 2020via osv
commit
1 file changed · +1 1
  • DBI.pm+1 1 modified
    @@ -11,7 +11,7 @@ package DBI;
 require 5.008_001;
 
 BEGIN {
-our $XS_VERSION = our $VERSION = "1.642"; # ==> ALSO update the version in the pod text below!
+our $XS_VERSION = our $VERSION = "1.643"; # ==> ALSO update the version in the pod text below!
 $VERSION = eval $VERSION;
 }
eca7d7c8f43d

Fix a NULL profile dereference in dbi_profile()

https://github.com/perl5-dbi/dbiPetr PísařJul 29, 2019via osv
commit
1 file changed · +6 2
  • DBI.xs+6 2 modified
    @@ -2888,8 +2888,12 @@ dbi_profile(SV *h, imp_xxh_t *imp_xxh, SV *statement_sv, SV *method, NV t1, NV t
         mg_get(profile); /* FETCH */
     if (!profile || !SvROK(profile)) {
         DBIc_set(imp_xxh, DBIcf_Profile, 0); /* disable */
-        if (SvOK(profile) && !PL_dirty)
-            warn("Profile attribute isn't a hash ref (%s,%ld)", neatsvpv(profile,0), (long)SvTYPE(profile));
+        if (!PL_dirty) {
+            if (!profile)
+                warn("Profile attribute does not exist");
+            else if (SvOK(profile))
+                warn("Profile attribute isn't a hash ref (%s,%ld)", neatsvpv(profile,0), (long)SvTYPE(profile));
+        }
         return &PL_sv_undef;
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.