What is CVE-2020-13871?

CVE-2020-13871 is a high-severity software vulnerability (Use-after-free) with a CVSS score of 7.5. SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.

Is CVE-2020-13871 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 4%.

What products does CVE-2020-13871 affect?

Tracked products affected include Fedora. Check the version you run to see whether it is affected.

How do I fix CVE-2020-13871?

Apply the vendor fix promptly. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2020-13871

HIGH severity · CVSS 7.5 · Use-after-free

7.5CVSS HIGH

Summary

SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactNone

Integrity impactNone

Availability impactHigh

Exploit probability (EPSS)4%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products we track (1)

Fedora

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf ↗

Additional information

NVD record
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatch
https://www.sqlite.org/src/info/79eff1d0383179c4Patch
https://security.gentoo.org/glsa/202007-26Advisory
https://lists.debian.org/debian-lts-announce/2020/08/msg00037.htmlAdvisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BN32AGQPMHZRNM6P6L5GZPETOWTGXOKP/
https://security.netapp.com/advisory/ntap-20200619-0002/Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlAdvisory
https://www.oracle.com/security-alerts/cpujan2021.htmlAdvisory