In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Apple
  • Icloud
  • Ipados
  • Iphone Os
  • Macos
  • Tvos
  • Watchos
Canonical
  • Ubuntu Linux
Oracle
  • Communications Cloud Native Core Policy
  • Communications Messaging Server
  • Communications Network Charging And Control
  • Enterprise Manager Ops Center
  • Hyperion Infrastructure Technology
  • Mysql
  • Outside In Technology
Redhat
  • Enterprise Linux
Siemens
  • Sinec Infrastructure Network Services
Sqlite
  • Sqlite

Configuration 1 [-]

cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

Configuration 3 [-]

OR cpe:2.3:a:apple:icloud:*:*:*:*:*:windows:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:outside_in_technology:8.5.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:outside_in_technology:8.5.5:*:*:*:*:*:*:*

Configuration 5 [-]

cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 8
sqlite-0:3.26.0-13.el8 cpe:/a:redhat:enterprise_linux:8 RHSA-2021:1581 2021-05-18T00:00:00Z
sqlite-0:3.26.0-13.el8 cpe:/o:redhat:enterprise_linux:8 RHSA-2021:1581 2021-05-18T00:00:00Z

No data.

Advisories
Source ID Title
EUVD EUVD EUVD-2020-7355 In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.
Ubuntu USN Ubuntu USN USN-4438-1 SQLite vulnerability
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://seclists.org/fulldisclosure/2020/Dec/32 cve-icon cve-icon
http://seclists.org/fulldisclosure/2020/Nov/19 cve-icon cve-icon
http://seclists.org/fulldisclosure/2020/Nov/20 cve-icon cve-icon
http://seclists.org/fulldisclosure/2020/Nov/22 cve-icon cve-icon
http://seclists.org/fulldisclosure/2021/Feb/14 cve-icon cve-icon
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2020-15358 cve-icon
https://security.gentoo.org/glsa/202007-26 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20200709-0001/ cve-icon cve-icon
https://support.apple.com/kb/HT211843 cve-icon cve-icon
https://support.apple.com/kb/HT211844 cve-icon cve-icon
https://support.apple.com/kb/HT211847 cve-icon cve-icon
https://support.apple.com/kb/HT211850 cve-icon cve-icon
https://support.apple.com/kb/HT211931 cve-icon cve-icon
https://support.apple.com/kb/HT212147 cve-icon cve-icon
https://usn.ubuntu.com/4438-1/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2020-15358 cve-icon
https://www.oracle.com/security-alerts/cpuApr2021.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuapr2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2021.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2020.html cve-icon cve-icon
https://www.sqlite.org/src/info/10fa79d00f8091e5 cve-icon cve-icon
https://www.sqlite.org/src/timeline?p=version-3.32.3&bt=version-3.32.2 cve-icon cve-icon
https://www.sqlite.org/src/tktview?name=8f157e8010 cve-icon cve-icon
History

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00076}

 epss

{'score': 0.00041}
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-04T13:15:20.050Z

Reserved: 2020-06-27T00:00:00

Link: CVE-2020-15358

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-06-27T12:15:11.187

Modified: 2024-11-21T05:05:24.197

Link: CVE-2020-15358

cve-icon Redhat

Severity : Moderate

Publid Date: 2020-06-15T00:00:00Z

Links: CVE-2020-15358 - Bugzilla

cve-icon OpenCVE Enrichment

No data.