CVE-2020-15358: Buffer Overflow
First published: Sat Jun 27 2020(Updated: )
In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.
Credit: CVE-2020-15358 CVE-2020-15358 CVE-2020-15358 CVE-2020-15358 CVE-2020-15358 CVE-2020-15358 cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apple iCloud for Windows | <7.21 | 7.21 |
| Apple macOS Big Sur | <11.0.1 | 11.0.1 |
| Apple macOS Big Sur | <11.2 | 11.2 |
| Apple Catalina | ||
| Apple Mojave | ||
| Apple watchOS | <7.0 | 7.0 |
| Apple tvOS | <14.0 | 14.0 |
| redhat/sqlite | <3.32.3 | 3.32.3 |
| Apple iOS | <14.0 | 14.0 |
| Apple iPadOS | <14.0 | 14.0 |
| SQLite SQLite | <3.32.3 | |
| Canonical Ubuntu Linux | =20.04 | |
| Apple Icloud Windows | <7.21 | |
| Apple iPadOS | <14.0 | |
| Apple iPhone OS | <14.0 | |
| Apple macOS | <11.0.1 | |
| Apple tvOS | <14.0 | |
| Apple watchOS | <7.0 | |
| Oracle Communications Cloud Native Core Policy | =1.14.0 | |
| Oracle Communications Messaging Server | =8.1 | |
| Oracle Communications Network Charging And Control | =6.0.1 | |
| Oracle Communications Network Charging And Control | =12.0.2 | |
| Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
| Oracle Hyperion Infrastructure Technology | =11.1.2.4 | |
| Oracle MySQL | <=8.0.22 | |
| Oracle Outside In Technology | =8.5.4 | |
| Oracle Outside In Technology | =8.5.5 | |
| Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
| Google Android | ||
| IBM Security Verify Access | <=10.0.0 | |
| debian/sqlite3 | 3.34.1-3 3.40.1-2 3.46.0-1 | |
| ubuntu/sqlite3 | <3.31.1-4ubuntu0.2 | 3.31.1-4ubuntu0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://support.apple.com/en-us/HT211847 (Advisory)
- https://www.sqlite.org/src/info/10fa79d00f8091e5
- https://www.sqlite.org/src/timeline?p=version-3.32.3&bt=version-3.32.2
- https://www.sqlite.org/src/tktview?name=8f157e8010
- https://security.netapp.com/advisory/ntap-20200709-0001/
- https://security.gentoo.org/glsa/202007-26
- https://usn.ubuntu.com/4438-1/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://support.apple.com/kb/HT211843
- https://support.apple.com/kb/HT211844
- https://support.apple.com/kb/HT211850
- https://support.apple.com/kb/HT211931
- https://support.apple.com/kb/HT211847
- http://seclists.org/fulldisclosure/2020/Nov/20
- http://seclists.org/fulldisclosure/2020/Nov/19
- http://seclists.org/fulldisclosure/2020/Nov/22
- http://seclists.org/fulldisclosure/2020/Dec/32
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://support.apple.com/kb/HT212147
- http://seclists.org/fulldisclosure/2021/Feb/14
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://launchpad.net/bugs/cve/CVE-2020-15358
- https://support.apple.com/en-us/HT211931 (Advisory)
- https://support.apple.com/en-us/HT212147 (Advisory)
- https://support.apple.com/en-us/HT211844 (Advisory)
- https://support.apple.com/en-us/HT211843 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1851962
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1851963
- https://access.redhat.com/errata/RHSA-2021:1581
- https://access.redhat.com/security/cve/cve-2020-15358
- https://bugzilla.redhat.com/show_bug.cgi?id=1851957
- https://support.apple.com/en-us/HT211850 (Advisory)
- https://www.sqlite.org/src/timeline?p=version-3.32.3&bt=version-3.32.2
- https://android.googlesource.com/platform/external/sqlite/+/1935111b5e902f2ca305d1b2efae6fe46acfffe5
- https://source.android.com/docs/security/bulletin/2021-10-01 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/184103
- https://www.ibm.com/support/pages/node/6538418 (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2020-15358
- https://ubuntu.com/security/notices/USN-4438-1
- https://www.cve.org/CVERecord?id=CVE-2020-15358
- https://nvd.nist.gov/vuln/detail/CVE-2020-15358
- https://ubuntu.com/security/CVE-2020-15358
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2020-36521
- CVE-2020-9991
- CVE-2020-15358
- CVE-2020-9952
- CVE-2020-27914
- CVE-2020-27915
- CVE-2020-27903
- CVE-2020-27910
- CVE-2020-27916
- CVE-2020-9943
- CVE-2020-9944
- CVE-2020-27906
- CVE-2020-27945
- CVE-2020-27908
- CVE-2020-27909
- CVE-2020-9960
- CVE-2020-10017
- CVE-2020-9949
- CVE-2020-9897
- CVE-2020-9883
- CVE-2020-10003
- CVE-2020-27922
- CVE-2020-9999
- CVE-2020-27937
- CVE-2020-9965
- CVE-2020-9966
- CVE-2020-27894
- CVE-2020-36615
- CVE-2021-1790
- CVE-2021-1775
- CVE-2020-29629
- CVE-2020-27942
- CVE-2020-9962
- CVE-2020-27952
- CVE-2020-9956
- CVE-2020-27931
- CVE-2020-27930
- CVE-2020-27927
- CVE-2020-29639
- CVE-2020-10002
- CVE-2020-9978
- CVE-2020-9955
- CVE-2020-27924
- CVE-2020-27912
- CVE-2020-27923
- CVE-2020-9876
- CVE-2020-10015
- CVE-2020-27897
- CVE-2020-27907
- CVE-2020-27919
- CVE-2020-9967
- CVE-2020-9975
- CVE-2020-27921
- CVE-2020-27904
- CVE-2019-14899
- CVE-2020-27950
- CVE-2020-9974
- CVE-2020-10016
- CVE-2020-27932
- CVE-2020-27917
- CVE-2020-27920
- CVE-2020-27911
- CVE-2020-9971
- CVE-2020-10014
- CVE-2020-10010
- CVE-2020-9941
- CVE-2020-9988
- CVE-2020-9989
- CVE-2020-10011
- CVE-2020-13524
- CVE-2020-10004
- CVE-2020-9996
- CVE-2020-27901
- CVE-2020-27900
- CVE-2019-20838
- CVE-2020-14155
- CVE-2020-10007
- CVE-2020-27896
- CVE-2020-9963
- CVE-2020-10012
- CVE-2020-10663
- CVE-2020-9945
- CVE-2020-9977
- CVE-2020-9942
- CVE-2020-9987
- CVE-2021-1803
- CVE-2020-9969
- CVE-2020-27893
- CVE-2021-1755
- CVE-2020-10005
- CVE-2020-9849
- CVE-2020-13631
- CVE-2020-13434
- CVE-2020-13435
- CVE-2020-13630
- CVE-2020-27899
- CVE-2020-10009
- CVE-2020-10008
- CVE-2020-27918
- CVE-2020-9947
- CVE-2020-9950
- CVE-2020-27898
- CVE-2020-27935
- CVE-2020-10006
- CVE-2021-1761
- CVE-2021-1797
- CVE-2021-1760
- CVE-2021-1747
- CVE-2021-1776
- CVE-2021-1759
- CVE-2021-1772
- CVE-2021-1792
- CVE-2021-1787
- CVE-2021-1786
- CVE-2021-1802
- CVE-2021-1791
- CVE-2020-29608
- CVE-2021-1758
- CVE-2021-1783
- CVE-2021-1741
- CVE-2021-1743
- CVE-2021-1773
- CVE-2021-1778
- CVE-2021-1736
- CVE-2021-1785
- CVE-2021-1766
- CVE-2021-1818
- CVE-2021-1742
- CVE-2021-1746
- CVE-2021-1754
- CVE-2021-1774
- CVE-2021-1777
- CVE-2021-1793
- CVE-2021-1737
- CVE-2021-1738
- CVE-2021-1744
- CVE-2021-1779
- CVE-2021-1757
- CVE-2021-1764
- CVE-2021-1782
- CVE-2021-1750
- CVE-2020-29633
- CVE-2021-1781
- CVE-2021-1771
- CVE-2021-1762
- CVE-2020-29614
- CVE-2021-1763
- CVE-2021-1767
- CVE-2021-1745
- CVE-2021-1753
- CVE-2021-1768
- CVE-2021-1751
- CVE-2020-25709
- CVE-2020-27938
- CVE-2021-1769
- CVE-2021-1788
- CVE-2021-1765
- CVE-2021-1801
- CVE-2021-1789
- CVE-2021-1871
- CVE-2021-1870
- CVE-2021-1799
- CVE-2021-30869
- CVE-2020-9954
- CVE-2020-9961
- CVE-2020-9976
- CVE-2020-9981
- CVE-2020-9946
- CVE-2020-9993
- CVE-2020-9968
- CVE-2020-9951
- CVE-2020-9983
- CVE-2020-9979
- CVE-2020-10013
- CVE-2020-9958
- CVE-2020-9773
- CVE-2020-9992
- CVE-2020-9964
- CVE-2020-13520
- CVE-2020-6147
- CVE-2020-9972
- CVE-2020-9973
- CVE-2020-9959
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2020-15358.
What is the title of this vulnerability?
The title of this vulnerability is 'SQLite. Multiple issues were addressed with improved checks.'
What was done to address the vulnerabilities?
The vulnerabilities were addressed by updating SQLite to version 3.32.3.
Which software products are affected by this vulnerability?
The affected software products include macOS Big Sur, watchOS, iOS, iPadOS, iCloud for Windows, and tvOS.
Where can I find more information about this vulnerability?
You can find more information about this vulnerability on the Apple support website.
- collector/apple-support
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/software-canonical-lookup-request
- agent/remedy
- agent/severity
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-15358
- agent/software-canonical-lookup
- agent/description
- agent/weakness
- collector/nvd-index
- collector/nvd-cve
- source/NVD
- collector/android-source
- source/Android
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- collector/security-tracker-debian
- source/Debian
- agent/references
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/apple
- canonical/apple icloud for windows
- canonical/apple macos big sur
- canonical/apple catalina
- canonical/apple mojave
- canonical/apple watchos
- canonical/apple tvos
- package-manager/redhat
- canonical/apple ios
- canonical/apple ipados
- vendor/sqlite
- canonical/sqlite sqlite
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/20.04
- canonical/apple icloud windows
- canonical/apple iphone os
- canonical/apple macos
- vendor/oracle
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.14.0
- canonical/oracle communications messaging server
- version/oracle communications messaging server/8.1
- canonical/oracle communications network charging and control
- version/oracle communications network charging and control/6.0.1
- version/oracle communications network charging and control/12.0.2
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.4.0.0
- canonical/oracle hyperion infrastructure technology
- version/oracle hyperion infrastructure technology/11.1.2.4
- canonical/oracle mysql
- version/oracle mysql/8.0.22
- canonical/oracle outside in technology
- version/oracle outside in technology/8.5.4
- version/oracle outside in technology/8.5.5
- vendor/siemens
- canonical/siemens sinec infrastructure network services
- vendor/google
- canonical/google android
- vendor/ibm
- canonical/ibm security verify access
- version/ibm security verify access/10.0.0
- package-manager/ubuntu
- package-manager/debian