CVE-2020-13871

moderate-risk

Published 2020-06-06

SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.

Do I need to act?

2.4% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (13)

Sqlite

Fedora

Debian Linux

Communications Messaging Server

Communications Network Charging And Control

Enterprise Manager Ops Center

Hyperion Infrastructure Technology

Mysql Workbench

Zfs Storage Appliance Kit

Sinec Infrastructure Network Services

Cloud Backup

Ontap Select Deploy Administration Utility

Affected Vendors

Debian Oracle Siemens Fedoraproject Netapp Sqlite

References (20)

Patch https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Mailing List https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Mitigation https://security.gentoo.org/glsa/202007-26

Third Party Advisory https://security.netapp.com/advisory/ntap-20200619-0002/

Third Party Advisory https://www.oracle.com/security-alerts/cpuApr2021.html

Third Party Advisory https://www.oracle.com/security-alerts/cpujan2021.html

Patch https://www.sqlite.org/src/info/79eff1d0383179c4

Exploit https://www.sqlite.org/src/info/c8d3b9f0a750a529

Exploit https://www.sqlite.org/src/info/cd708fa84d2aaaea