#VU67412 Out-of-bounds read in SQLite - CVE-2020-35527


Vulnerability identifier: #VU67412

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-35527

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SQLite
Server applications / Database software

Vendor: SQLite

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when handling ALTER TABLE for views that have a nested FROM clause. A remote attacker can pass specially crafted input to the application, trigger an out-of-bounds read error and read contents of memory on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SQLite: 3.31.0 - 3.31.1

External links
http://www.sqlite.org/src/info/c431b3fd8fd0f6a6

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell RecoverPoint for Virtual Machines
Multiple vulnerabilities in Dell ObjectScale
Ubuntu update for sqlite3
Multiple vulnerabilities in IBM Netcool Operations Insight
Multiple vulnerabilities in Red Hat Ansible Automation Platform 2.4
Multiple vulnerabilities in OpenShift Container Platform 4.11
Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Out-of-bounds read in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps
Multiple vulnerabilities in Migration Toolkit for Runtimes