CVE-2018-20346
sqlite3 - security update
8.1
HIGH
CVSS 3.1
EPSS 13.5%
Description
SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.
How to fix CVE-2018-20346
To remediate CVE-2018-20346, upgrade the affected package to a fixed version below.
- —upgrade to 3.25.3-r0 or later
- —upgrade to 71.0.3578.80-1 or later
- —upgrade to 3.25.3-1 or later
- —upgrade to 3.8.7.1-1+deb8u3 or later
- —upgrade to 3.16.2-5+deb9u2 or later
Is CVE-2018-20346 being exploited?
Moderate — EPSS is 13.5%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (5)
- from 0, < 3.25.3-r0
- from 0, < 71.0.3578.80-1
- from 0, < 3.25.3-1
- from 0, < 3.8.7.1-1+deb8u3
- from 0, < 3.16.2-5+deb9u2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |