CVE-2018-20505 — SQL Injection in Sqlite

CWE-89 — SQL Injection16 documents10 sources

Severity

7.5HIGHNVD

OSV5.9

EPSS

8.7%

top 7.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ghost Sqlite3 Apple Icloud Apple Iphone OS +4 more

Timeline

PublishedApr 3

Latest updateMay 14

Description

SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases).

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

▶Debianghost/sqlite3< 3.25.3-1+3

▶Ubuntughost/sqlite3< 3.11.0-1ubuntu1.2+1

▶NVDsqlite/sqlite3.25.2

▶NVDapple/icloud< 7.10

▶NVDapple/itunes< 12.9.3

🔴Vulnerability Details

GHSA

GHSA-rx75-3g2g-6hp5: SQLite 3↗2022-05-14

▶

OSV

sqlite3 vulnerabilities↗2019-06-19

▶

CVEList

CVE-2018-20505: SQLite 3↗2019-04-03

▶

OSV

CVE-2018-20505: SQLite 3↗2019-04-03

▶

📋Vendor Advisories

Ubuntu

SQLite vulnerabilities↗2019-06-19

▶

Microsoft

SQLite 3.25.2 when queries are run on a table with a malformed PRIMARY KEY allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL state↗2019-04-09

▶

Apple

CVE-2018-20505: iTunes 12.9.3 for Windows↗2019-01-24

▶

Apple

CVE-2018-20505: tvOS 12.1.2↗2019-01-22

▶

Apple

CVE-2018-20505: iCloud for Windows 7.10↗2019-01-22

▶

💬Community

Bugzilla

CVE-2018-20346 CVE-2018-20505 CVE-2018-20506 sqlite: Multiple flaws in sqlite which can be triggered via corrupted internal databases (Magellan)↗2018-12-14

▶