Vulnerability Details : CVE-2018-20505
Potential exploit
SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases).
Vulnerability category: Sql InjectionDenial of service
Products affected by CVE-2018-20505
- cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
- cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
- cpe:2.3:a:apple:icloud:*:*:*:*:*:*:*:*
- cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-20505
12.44%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 95 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-20505
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-20505
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-20505
-
http://seclists.org/fulldisclosure/2019/Jan/69
Full Disclosure: APPLE-SA-2019-1-24-1 iTunes 12.9.3 for WindowsMailing List;Third Party Advisory
-
https://support.apple.com/kb/HT209443
About the security content of iOS 12.1.3 - Apple SupportVendor Advisory
-
https://seclists.org/bugtraq/2019/Jan/39
Bugtraq: APPLE-SA-2019-1-24-1 iTunes 12.9.3 for WindowsMailing List;Third Party Advisory
-
https://support.apple.com/kb/HT209450
About the security content of iTunes 12.9.3 for Windows - Apple SupportVendor Advisory
-
https://seclists.org/bugtraq/2019/Jan/29
Bugtraq: APPLE-SA-2019-1-22-6 iCloud for Windows 7.10Mailing List;Third Party Advisory
-
https://sqlite.org/src/info/1a84668dcfdebaf12415d
SQLite: View TicketExploit;Vendor Advisory
-
http://seclists.org/fulldisclosure/2019/Jan/64
Full Disclosure: APPLE-SA-2019-1-22-1 iOS 12.1.3Mailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20190502-0004/
April 2019 SQLite Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://seclists.org/fulldisclosure/2019/Jan/66
Full Disclosure: APPLE-SA-2019-1-22-4 tvOS 12.1.2Mailing List;Third Party Advisory
-
https://usn.ubuntu.com/4019-1/
USN-4019-1: SQLite vulnerabilities | Ubuntu security notices
-
http://seclists.org/fulldisclosure/2019/Jan/68
Full Disclosure: APPLE-SA-2019-1-22-3 watchOS 5.1.3Mailing List;Third Party Advisory
-
https://seclists.org/bugtraq/2019/Jan/28
Bugtraq: APPLE-SA-2019-1-22-1 iOS 12.1.3Mailing List;Third Party Advisory
-
https://seclists.org/bugtraq/2019/Jan/32
Bugtraq: APPLE-SA-2019-1-22-3 watchOS 5.1.3Mailing List;Third Party Advisory
-
https://seclists.org/bugtraq/2019/Jan/33
Bugtraq: APPLE-SA-2019-1-22-4 tvOS 12.1.2Mailing List;Third Party Advisory
-
http://seclists.org/fulldisclosure/2019/Jan/67
Full Disclosure: APPLE-SA-2019-1-22-6 iCloud for Windows 7.10Mailing List;Third Party Advisory
-
http://seclists.org/fulldisclosure/2019/Jan/62
Full Disclosure: APPLE-SA-2019-1-22-2 macOS Mojave 10.14.3, Security Update 2019-001 High Sierra, Security Update 2019-001 SierraMailing List;Third Party Advisory
-
http://www.securityfocus.com/bid/106698
SQLite 'FTS3' extension Remote Code Execution VulnerabilityThird Party Advisory;VDB Entry
-
https://support.apple.com/kb/HT209447
About the security content of tvOS 12.1.2 - Apple SupportVendor Advisory
-
https://support.apple.com/kb/HT209448
About the security content of watchOS 5.1.3 - Apple SupportVendor Advisory
-
https://support.apple.com/kb/HT209451
About the security content of iCloud for Windows 7.10 - Apple SupportVendor Advisory
-
https://seclists.org/bugtraq/2019/Jan/31
Bugtraq: APPLE-SA-2019-1-22-2 macOS Mojave 10.14.3, Security Update 2019-001 High Sierra, Security Update 2019-001 SierraMailing List;Third Party Advisory
-
https://support.apple.com/kb/HT209446
About the security content of macOS Mojave 10.14.3, Security Update 2019-001 High Sierra, Security Update 2019-001 Sierra - Apple SupportVendor Advisory
Jump to