Lucene search

[email protected]CVE-2020-15358

HistoryJun 27, 2020 - 12:15 p.m.

CVE-2020-15358

2020-06-2712:15:11

CWE-787

[email protected]

web.nvd.nist.gov

298

sqlite

cve-2020-15358

select.c

query-flattener optimization

heap overflow

nvd

security

vulnerability

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:N/A:P

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.5%

JSON

In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.

Affected configurations

NVD

Node

sqlitesqliteRange<3.32.3

Node

canonicalubuntu_linuxMatch20.04lts

Node

appleicloudRange<7.21windows

appleipadosRange<14.0

appleiphone_osRange<14.0

applemacosRange<11.0.1

appletvosRange<14.0

applewatchosRange<7.0

Node

oraclecommunications_cloud_native_core_policyMatch1.14.0

oraclecommunications_messaging_serverMatch8.1

oraclecommunications_network_charging_and_controlMatch6.0.1

oraclecommunications_network_charging_and_controlMatch12.0.2

oracleenterprise_manager_ops_centerMatch12.4.0.0

oraclehyperion_infrastructure_technologyMatch11.1.2.4

oraclemysqlRange≤8.0.22

oracleoutside_in_technologyMatch8.5.4

oracleoutside_in_technologyMatch8.5.5

Node

siemenssinec_infrastructure_network_servicesRange<1.0.1.1

CPENameOperatorVersion
sqlite:sqlitesqlitelt3.32.3

CPE	Name	Operator	Version
sqlite:sqlite	sqlite	lt	3.32.3

References

seclists.org/fulldisclosure/2020/Dec/32

seclists.org/fulldisclosure/2020/Nov/19

seclists.org/fulldisclosure/2020/Nov/20

seclists.org/fulldisclosure/2020/Nov/22

seclists.org/fulldisclosure/2021/Feb/14

cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

security.gentoo.org/glsa/202007-26

security.netapp.com/advisory/ntap-20200709-0001/

support.apple.com/kb/HT211843

support.apple.com/kb/HT211844

support.apple.com/kb/HT211847

support.apple.com/kb/HT211850

support.apple.com/kb/HT211931

support.apple.com/kb/HT212147

usn.ubuntu.com/4438-1/

www.oracle.com/security-alerts/cpuApr2021.html

www.oracle.com/security-alerts/cpuapr2022.html

www.oracle.com/security-alerts/cpujan2021.html

www.oracle.com/security-alerts/cpuoct2020.html

www.sqlite.org/src/info/10fa79d00f8091e5

www.sqlite.org/src/timeline?p=version-3.32.3&bt=version-3.32.2

www.sqlite.org/src/tktview?name=8f157e8010

Social References

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:N/A:P

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.5%

JSON

CVE-2020-15358

Affected configurations

References

Social References

Related