CVE-2020-11656

Description

In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

How to fix CVE-2020-11656

To remediate CVE-2020-11656, upgrade the affected package to a fixed version below.

Bitnami/sqlite—upgrade to 3.31.2 or later
Debian/sqlite3—upgrade to 3.32.0-1 or later

Is CVE-2020-11656 being exploited?

Moderate — EPSS is 6.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 3.31.2
from 0, < 3.32.0-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (13)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-11656
WEBcert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
WEBnvd.nist.gov/vuln/detail/CVE-2020-11656
WEBsecurity.freebsd.org/advisories/FreeBSD-SA-20:22.sqlite.asc
WEB