CVE-2020-13871 — HIGH (7.5)

Q: What is CVE-2020-13871?

CVE-2020-13871 is a vulnerability with a CVSS score of 7.5 (HIGH). SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.

Q: How severe is CVE-2020-13871?

CVE-2020-13871 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-13871?

Check the references section above for vendor advisories and patch information. Affected products include: Sqlite Sqlite, Fedoraproject Fedora, Debian Debian Linux, Oracle Communications Messaging Server, Oracle Communications Network Charging And Control.

Vulnerability Description

SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Sqlite	Sqlite	3.32.2
Fedoraproject	Fedora	33
Debian	Debian Linux	9.0
Oracle	Communications Messaging Server	8.1
Oracle	Communications Network Charging And Control	6.0.1
Oracle	Enterprise Manager Ops Center	12.4.0.0
Oracle	Hyperion Infrastructure Technology	11.1.2.4
Oracle	Mysql Workbench	<= 8.0.22
Oracle	Zfs Storage Appliance Kit	8.8
Siemens	Sinec Infrastructure Network Services	< 1.0.1.1
Netapp	Cloud Backup	-
Netapp	Ontap Select Deploy Administration Utility	-

Related Weaknesses (CWE)

CWE-416

References

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/08/msg00037.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202007-26MitigationThird Party Advisory
https://security.netapp.com/advisory/ntap-20200619-0002/Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory
https://www.sqlite.org/src/info/79eff1d0383179c4PatchVendor Advisory
https://www.sqlite.org/src/info/c8d3b9f0a750a529ExploitVendor Advisory
https://www.sqlite.org/src/info/cd708fa84d2aaaeaExploitVendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/08/msg00037.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202007-26MitigationThird Party Advisory
https://security.netapp.com/advisory/ntap-20200619-0002/Third Party Advisory

FAQ

What is CVE-2020-13871?

CVE-2020-13871 is a vulnerability with a CVSS score of 7.5 (HIGH). SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.

How severe is CVE-2020-13871?

CVE-2020-13871 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-13871?

Check the references section above for vendor advisories and patch information. Affected products include: Sqlite Sqlite, Fedoraproject Fedora, Debian Debian Linux, Oracle Communications Messaging Server, Oracle Communications Network Charging And Control.