Vulnerability Name:

CVE-2020-11655 (CCN-180289)

Assigned:2020-04-09
Published:2020-04-09
Updated:2022-04-08
Summary:SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-665
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2020-11655

Source: CONFIRM
Type: Patch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Source: XF
Type: UNKNOWN
sqlite-cve202011655-dos(180289)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200505 [SECURITY] [DLA 2203-1] sqlite3 security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200822 [SECURITY] [DLA 2340-1] sqlite3 security update

Source: FREEBSD
Type: Third Party Advisory
FreeBSD-SA-20:22

Source: GENTOO
Type: Third Party Advisory
GLSA-202007-26

Source: CCN
Type: NetApp Advisory Number NTAP-20200416-0001
April 2020 SQLite Vulnerabilities in NetApp Products

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20200416-0001/

Source: UBUNTU
Type: Third Party Advisory
USN-4394-1

Source: CCN
Type: IBM Security Bulletin 6211992 (PowerAI)
A security vulnerability has been identified in SQLite shipped with IBM Watson Machine Learning Community Edition (WMLCE)

Source: CCN
Type: IBM Security Bulletin 6245634 (Tivoli Composite Application Manager for Applications)
Addressing the Sqlite Vulnerability CVE-2020-11656, CVE-2020-11655

Source: CCN
Type: IBM Security Bulletin 6258179 (Cloud Application Performance Management)
A vulneraqbility in SQLite affects IBM Cloud Application Performance Management Response Time Monitoring Agent (CVE-2020-11655, CVE-2020-11656)

Source: CCN
Type: IBM Security Bulletin 6403862 (MaaS360 Cloud Extender)
IBM MaaS360 Cloud Extender has security vulnerabilities (CVE-2020-1155, CVE-2020-1156)

Source: CCN
Type: IBM Security Bulletin 6410788 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6590981 (QRadar Data Synchronization App)
IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html

Source: CCN
Type: SQLite Web site
Fix a case when a pointer might be used after being freed in the ALTER TABLE code.

Source: CONFIRM
Type: Release Notes, Third Party Advisory
https://www.tenable.com/security/tns-2021-14

Source: MISC
Type: Patch, Vendor Advisory
https://www3.sqlite.org/cgi/src/info/4a302b42c7bf5e11

Source: MISC
Type: Exploit, Vendor Advisory
https://www3.sqlite.org/cgi/src/tktview?name=af4556bb5c

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sqlite:sqlite:*:*:*:*:*:*:*:* (Version <= 3.31.1)

    • Configuration 2:
  • cpe:/a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

    • Configuration 5:
  • cpe:/a:oracle:communications_element_manager:*:*:*:*:*:*:*:* (Version >= 8.2.0 and <= 8.2.2)
  • OR cpe:/a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_network_charging_and_control:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.0.3)
  • OR cpe:/a:oracle:communications_network_charging_and_control:12.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* (Version >= 8.2.0 and <= 8.2.2)
  • OR cpe:/a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* (Version >= 8.2.0 and <= 8.2.2)
  • OR cpe:/a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:mysql:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.0.22)
  • OR cpe:/a:oracle:mysql_workbench:*:*:*:*:*:*:*:* (Version <= 8.0.22)
  • OR cpe:/a:oracle:outside_in_technology:8.5.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:outside_in_technology:8.5.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
  • OR cpe:/o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*

    • Configuration 6:
  • cpe:/a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* (Version < 1.0.1.1)

    • Configuration 7:
  • cpe:/a:tenable:tenable.sc:*:*:*:*:*:*:*:* (Version < 5.19.0)

    • Configuration CCN 1:
  • cpe:/a:sqlite:sqlite:3.31.1:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:cloud_application_performance_management:8.1.4:*:*:*:*:advanced_private:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sqlite sqlite *
    netapp ontap select deploy administration utility -
    debian debian linux 8.0
    debian debian linux 9.0
    canonical ubuntu linux 16.04
    canonical ubuntu linux 18.04
    canonical ubuntu linux 19.10
    canonical ubuntu linux 20.04
    oracle communications element manager *
    oracle communications network charging and control 6.0.1
    oracle communications network charging and control *
    oracle communications network charging and control 12.0.2
    oracle communications session report manager *
    oracle communications session route manager *
    oracle enterprise manager ops center 12.4.0.0
    oracle hyperion infrastructure technology 11.1.2.4
    oracle instantis enterprisetrack 17.1
    oracle instantis enterprisetrack 17.2
    oracle instantis enterprisetrack 17.3
    oracle mysql *
    oracle mysql workbench *
    oracle outside in technology 8.5.4
    oracle outside in technology 8.5.5
    oracle zfs storage appliance kit 8.8
    oracle communications messaging server 8.1
    siemens sinec infrastructure network services *
    tenable tenable.sc *
    sqlite sqlite 3.31.1
    netapp ontap select deploy administration utility -
    ibm cloud application performance management 8.1.4
    ibm data risk manager 2.0.6