Vulnerability CVE-2020-13630

Vulnerability Name:

CVE-2020-13630 (CCN-182613)

Assigned:

2020-05-16

Published:

2020-05-16

Updated:

2022-05-13

Summary:

ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.

CVSS v3 Severity:

7.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.1 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

7.0 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.1 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-416

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2020-13630

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20201215 APPLE-SA-2020-12-14-4 Additional information for APPLE-SA-2020-11-13-1 macOS Big Sur 11.0.1

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20201115 APPLE-SA-2020-11-13-4 Additional information for APPLE-SA-2020-09-16-2 tvOS 14.0

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20201115 APPLE-SA-2020-11-13-3 Additional information for APPLE-SA-2020-09-16-1 iOS 14.0 and iPadOS 14.0

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20201115 APPLE-SA-2020-11-13-6 Additional information for APPLE-SA-2020-09-16-4 watchOS 7.0

Source: MISC
Type: Permissions Required, Third Party Advisory
https://bugs.chromium.org/p/chromium/issues/detail?id=1080459

Source: CONFIRM
Type: Patch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Source: XF
Type: UNKNOWN
sqlite-cve202013630-dos(182613)

Source: MLIST
Type: Third Party Advisory
[debian-lts-announce] 20200822 [SECURITY] [DLA 2340-1] sqlite3 security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-0477f8840e

Source: FREEBSD
Type: Mitigation, Third Party Advisory
FreeBSD-SA-20:22

Source: GENTOO
Type: Third Party Advisory
GLSA-202007-26

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20200608-0002/

Source: CCN
Type: SQLite Check-in [0d69f76f]
Fix a use-after-free bug in the fts3 snippet() function

Source: MISC
Type: Patch, Vendor Advisory
https://sqlite.org/src/info/0d69f76f0865f962

Source: CCN
Type: Apple security document HT211931
About the security content of macOS Big Sur 11.0.1

Source: CCN
Type: Apple security document HT211935
About the security content of iCloud for Windows 11.5

Source: CCN
Type: Apple security document HT211952
About the security content of iTunes 12.10.9 for Windows

Source: CONFIRM
Type: Release Notes, Third Party Advisory
https://support.apple.com/kb/HT211843

Source: CONFIRM
Type: Release Notes, Third Party Advisory
https://support.apple.com/kb/HT211844

Source: CONFIRM
Type: Release Notes, Third Party Advisory
https://support.apple.com/kb/HT211850

Source: CONFIRM
Type: Release Notes, Third Party Advisory
https://support.apple.com/kb/HT211931

Source: CONFIRM
Type: Release Notes, Third Party Advisory
https://support.apple.com/kb/HT211935

Source: CONFIRM
Type: Release Notes, Third Party Advisory
https://support.apple.com/kb/HT211952

Source: UBUNTU
Type: Patch, Third Party Advisory
USN-4394-1

Source: CCN
Type: IBM Security Bulletin 6250509 (Watson Machine Learning Community Edition)
WML CE: WML CE: SQLite through 3.32.0 has various security issues.

Source: CCN
Type: IBM Security Bulletin 6410788 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6590981 (QRadar Data Synchronization App)
IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-13630

Vulnerable Configuration:

Configuration 1:

cpe:/a:sqlite:sqlite:*:*:*:*:*:*:*:* (Version < 3.32.0)

Configuration 2:

cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

OR cpe:/o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

Configuration 4:

cpe:/a:netapp:cloud_backup:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:solidfire,_enterprise_sds_&_hci_storage_node:-:*:*:*:*:*:*:*

Configuration 5:

cpe:/o:brocade:fabric_operating_system:-:*:*:*:*:*:*:*

Configuration 6:

cpe:/o:netapp:hci_compute_node_firmware:-:*:*:*:*:*:*:*

AND

cpe:/h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

Configuration 7:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 8:

cpe:/a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* (Version < 1.0.1.1)

Configuration 9:

cpe:/o:apple:iphone_os:*:*:*:*:*:*:*:* (Version < 14.0)

OR cpe:/o:apple:watchos:*:*:*:*:*:*:*:* (Version < 7.0)

OR cpe:/o:apple:tvos:*:*:*:*:*:*:*:* (Version < 14.0)

OR cpe:/o:apple:ipados:*:*:*:*:*:*:*:* (Version < 14.0)

OR cpe:/a:apple:icloud:*:*:*:*:*:windows:*:* (Version < 11.5)

OR cpe:/a:apple:itunes:*:*:*:*:*:windows:*:* (Version < 12.10.9)

OR cpe:/o:apple:macos:*:*:*:*:*:*:*:* (Version < 11.0.1)

Configuration 10:

cpe:/a:oracle:outside_in_technology:8.5.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:outside_in_technology:8.5.5:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_network_charging_and_control:*:*:*:*:*:*:*:* (Version >= 12.0.0 and <= 12.0.3)

OR cpe:/a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

Configuration CCN 1:

cpe:/a:sqlite:sqlite:3.31.1:*:*:*:*:*:*:*

AND

cpe:/a:ibm:watson_machine_learning:1.6.2:*:community:*:*:*:*:*

OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:watson_machine_learning:1.7.0:*:community:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7675	P	libsqlite3-0-3.39.3-150000.3.20.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:51964	P	Security update for libarchive (Low)	2022-11-23
oval:org.opensuse.security:def:740	P	Security update for icu (Moderate)	2022-09-07
oval:org.opensuse.security:def:3641	P	Security update for ncurses (Moderate) (in QA)	2022-07-18
oval:org.opensuse.security:def:6091	P	Security update for rsyslog (Important)	2022-07-06
oval:org.opensuse.security:def:3455	P	coolkey-1.1.0-148.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3083	P	gnome-keyring-3.20.0-28.3.18 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94713	P	libsqlite3-0-3.36.0-3.12.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94567	P	gnutls-3.7.3-150400.2.12 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95318	P	Security update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core (Important)	2022-05-16
oval:org.opensuse.security:def:102031	P	Security update for the Linux Kernel (Live Patch 5 for SLE 15 SP3) (Important)	2022-03-29
oval:org.opensuse.security:def:112849	P	libsqlite3-0-3.36.0-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:99502	P	(Important)	2022-01-17
oval:org.opensuse.security:def:99701	P	(Moderate)	2021-12-06
oval:org.opensuse.security:def:100010	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:106312	P	libsqlite3-0-3.36.0-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:31279	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:59545	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:88512	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:127173	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:55250	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:84215	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:33722	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:29427	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:57510	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:86659	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:82634	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:31687	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:59803	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:89200	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:23681	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:55953	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:84673	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:33980	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:30130	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:58018	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:87478	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:125609	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:51669	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:83337	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:32195	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:60373	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:89458	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:23976	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:56073	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:85743	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:34550	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:30250	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:58837	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:88196	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:126776	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:83457	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:33014	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:26137	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:57102	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:86151	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:5124	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:93102	P	(Moderate)	2021-08-23
oval:org.opensuse.security:def:101280	P	libtdsodbc0-1.1.36-3.3.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:110972	P	Security update for sqlite3 (Important)	2021-07-19
oval:org.opensuse.security:def:69503	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:108697	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:94178	P	(Important)	2021-07-14
oval:org.opensuse.security:def:10303	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:8619	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:70443	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:99395	P	(Important)	2021-07-14
oval:org.opensuse.security:def:64730	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:99111	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:117461	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:111619	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:76248	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:93572	P	(Important)	2021-07-14
oval:org.opensuse.security:def:9553	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:92552	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:100636	P	(Important)	2021-07-14
oval:org.opensuse.security:def:69693	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:94389	P	(Important)	2021-07-14
oval:org.opensuse.security:def:73666	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:93255	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:42100	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:8805	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:91966	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:99658	P	(Important)	2021-07-14
oval:org.opensuse.security:def:66859	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:99303	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:93752	P	(Important)	2021-07-14
oval:org.opensuse.security:def:9752	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:92751	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:101471	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:5770	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:69892	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:73852	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:93098	P	(Important)	2021-07-14
oval:org.opensuse.security:def:9000	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:92161	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:99972	P	(Important)	2021-07-14
oval:org.opensuse.security:def:67180	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:107946	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:93966	P	(Important)	2021-07-14
oval:org.opensuse.security:def:10117	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:92949	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:70257	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:64544	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:98916	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:75927	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:93416	P	(Important)	2021-07-14
oval:org.opensuse.security:def:9363	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:92353	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:100308	P	(Important)	2021-07-14
oval:com.redhat.rhsa:def:20211968	P	RHSA-2021:1968: mingw packages security and bug fix update (Moderate)	2021-05-18
oval:com.redhat.rhsa:def:20204442	P	RHSA-2020:4442: sqlite security update (Moderate)	2020-11-04

BACK