Out-of-bounds write in SQLite

#VU30165 Out-of-bounds write in SQLite

Published: 2020-06-27 | Updated: 2023-10-28

Vulnerability identifier: #VU30165

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-15358

CWE-ID:

Exploitation vector: Local

Exploit availability:

Vulnerable software:
SQLite
Server applications / Database software

Vendor: SQLite

Description

The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.

In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.

Mitigation
Install update from vendor's website.

Vulnerable software versions

SQLite: 3.32.0 - 3.32.2

Fixed software versions

CPE

cpe:2.3:a:sqlite:sqlite:3.32.0:*:*:*:*:*:*:*

External links
http://security.netapp.com/advisory/ntap-20200709-0001/
http://www.sqlite.org/src/info/10fa79d00f8091e5
http://www.sqlite.org/src/timeline?p=version-3.32.3&bt=version-3.32.2
http://www.sqlite.org/src/tktview?name=8f157e8010

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell Unity, Dell UnityVSA, and Dell Unity XT

Multiple vulnerabilities in Dell EMC VxRail Appliance

Multiple vulnerabilities in IBM Cloud Pak for Security

Multiple vulnerabilities in Red Hat Service Telemetry Framework

Juniper Junos OS and Junos OS Evolved update for SQLite

Multiple vulnerabilities in IBM QRadar Data Synchronization App

Multiple vulnerabilities in Dell EMC Data Protection Search

Multiple vulnerabilities in Dell EMC Integrated Data Protection Appliance

Multiple vulnerabilities in Siemens SINEC INS

Multiple vulnerabilities in IBM Security Verify Access