CVE-2020-13871: Use after free in SQLite
First published: Sat Jun 06 2020(Updated: )
SQLite is vulnerable to a denial of service, caused by a use-after-free in resetAccumulator in select.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
Credit: cve@mitre.org Richard Lorenz SAP
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SQLite SQLite | =3.32.2 | |
| Fedoraproject Fedora | =33 | |
| Debian Debian Linux | =9.0 | |
| Oracle Communications Messaging Server | =8.1 | |
| Oracle Communications Network Charging And Control | =6.0.1 | |
| Oracle Communications Network Charging And Control | =12.0.2 | |
| Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
| Oracle Hyperion Infrastructure Technology | =11.1.2.4 | |
| Oracle Mysql Workbench | <=8.0.22 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
| Netapp Cloud Backup | ||
| NetApp ONTAP Select Deploy administration utility | ||
| Google Android | ||
| IBM Data Risk Manager | <=2.0.6 | |
| All of | ||
| Google Chrome | <86.0.4240.99 | 86.0.4240.99 |
| Google Android | * |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BN32AGQPMHZRNM6P6L5GZPETOWTGXOKP/
- https://security.gentoo.org/glsa/202007-26
- https://security.netapp.com/advisory/ntap-20200619-0002/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.sqlite.org/src/info/79eff1d0383179c4
- https://www.sqlite.org/src/info/c8d3b9f0a750a529
- https://www.sqlite.org/src/info/cd708fa84d2aaaea
- https://android.googlesource.com/platform/external/sqlite/+/84500124e617d2548c2b2374eb84a3e0ea8884d1
- https://source.android.com/docs/security/bulletin/2021-11-01 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/183370
- https://www.ibm.com/support/pages/node/6335281 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BN32AGQPMHZRNM6P6L5GZPETOWTGXOKP/
- https://chromereleases.googleblog.com/2020/10/chrome-for-android-update_31.html (Advisory)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the vulnerability ID for this SQLite vulnerability?
The vulnerability ID for this SQLite vulnerability is CVE-2020-13871.
What is the severity of CVE-2020-13871?
The severity of CVE-2020-13871 is high.
Which software products are affected by CVE-2020-13871?
The software products affected by CVE-2020-13871 are Google Android, IBM Data Risk Manager, SQLite, Fedoraproject Fedora, Debian Debian Linux, Oracle Communications Messaging Server, Oracle Communications Network Charging And Control, Oracle Enterprise Manager Ops Center, Oracle Hyperion Infrastructure Technology, Oracle Mysql Workbench, Oracle ZFS Storage Appliance Kit, Siemens Sinec Infrastructure Network Services, Netapp Cloud Backup, and NetApp ONTAP Select Deploy administration utility.
How can the CVE-2020-13871 vulnerability be exploited?
The CVE-2020-13871 vulnerability can be exploited by sending a specially crafted request to the vulnerable SQLite version.
Are there any patches available for CVE-2020-13871?
Yes, patches are available for some of the affected software products. Please refer to the respective vendor's website for patch information.
- collector/nvd-index
- agent/type
- agent/remedy
- agent/description
- agent/severity
- collector/android-source
- source/Android
- agent/software-canonical-lookup
- collector/ibm-support
- source/IBM
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- collector/chrome-releases
- agent/author
- agent/softwarecombine
- agent/references
- agent/title
- agent/tags
- vendor/sqlite
- canonical/sqlite sqlite
- version/sqlite sqlite/3.32.2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/oracle
- canonical/oracle communications messaging server
- version/oracle communications messaging server/8.1
- canonical/oracle communications network charging and control
- version/oracle communications network charging and control/6.0.1
- version/oracle communications network charging and control/12.0.2
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.4.0.0
- canonical/oracle hyperion infrastructure technology
- version/oracle hyperion infrastructure technology/11.1.2.4
- canonical/oracle mysql workbench
- version/oracle mysql workbench/8.0.22
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- vendor/siemens
- canonical/siemens sinec infrastructure network services
- vendor/netapp
- canonical/netapp cloud backup
- canonical/netapp ontap select deploy administration utility
- vendor/google
- canonical/google android
- vendor/ibm
- canonical/ibm data risk manager
- version/ibm data risk manager/2.0.6
- canonical/google chrome