Vulnerability Details : CVE-2021-20227
A flaw was found in SQLite's SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat from this vulnerability is to system availability.
Vulnerability category: Memory CorruptionDenial of service
Products affected by CVE-2021-20227
- cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:outside_in_technology:8.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_for_oracle_database:13.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
- Oracle » Communications Network Charging And ControlVersions from including (>=) 12.0.1.0 and up to, including, (<=) 12.0.4.0.0cpe:2.3:a:oracle:communications_network_charging_and_control:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-20227
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 50 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-20227
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:N/A:P |
3.9
|
2.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2021-20227
-
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)
References for CVE-2021-20227
-
https://security.gentoo.org/glsa/202210-40
SQLite: Multiple Vulnerabilities (GLSA 202210-40) — Gentoo securityThird Party Advisory
-
https://www.oracle.com//security-alerts/cpujul2021.html
Oracle Critical Patch Update Advisory - July 2021Patch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20210423-0010/
CVE-2021-20227 SQLite Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuApr2021.html
Oracle Critical Patch Update Advisory - April 2021Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Patch;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1924886
1924886 – (CVE-2021-20227) CVE-2021-20227 sqlite: potential use-after-free bug when processing a subquery with both a correlated WHERE clause and a "HAVING 0" clause and where the parent query is an aIssue Tracking;Third Party Advisory
-
https://security.gentoo.org/glsa/202103-04
SQLite: Remote code execution (GLSA 202103-04) — Gentoo securityThird Party Advisory
-
https://www.sqlite.org/releaselog/3_34_1.html
SQLite Release 3.34.1 On 2021-01-20Release Notes;Vendor Advisory
Jump to