SQLite Forum

Please fix CVE-2020-15358
Login

Please fix CVE-2020-15358

(1) By Aaron (AceHack) on 2020-07-30 20:04:03 [link]

package | package_version | cve | severity | cvss
-- | -- | -- | -- | --
sqlite | 3.32.1-r0 | CVE-2020-15358 | medium | 5.5


Our security team is trying to block us from using sqlite because of this.

(2) By Stephan Beal (stephan) on 2020-07-30 20:28:05 in reply to 1

> Please fix CVE-2020-15358

Please see [](/forumpost/247d4d7888) and the following posts for an explanation about why the sqlite team does not track CVEs.

(3) By Richard Hipp (drh) on 2020-07-30 20:41:01 in reply to 1 [link]

Notes:

  1.  That CVE is fake news.  It only applies if you are allowing
      malicious agents to inject arbitrary SQL into your
      application.  And even then, the worst known outcome is denial
      of service. See [\[1\]][1] for more information about CVEs and SQLite.

  2.  The bug that the CVE is based on was fixed in SQLite version 3.32.3.

  3.  Relying on CVEs and believing the information you read in CVEs is
      not an effective security policy.

[1]: https://www.sqlite.org/cves.html#cvetab
\[1\] <https://www.sqlite.org/cves.html>

(5) By Stephan Beal (stephan) on 2020-07-30 20:45:42 in reply to 3 [link]

> That CVE is fake news

The next time i manage a ticket database, "fake news" will be added as one of the ticket resolution options.

(4) By Peter Kolbus (pkolbus) on 2020-07-30 20:42:45 in reply to 1 [link]

Aside from what stephan has already said, NVD indicates this is particular CVE is applicable to versions prior to 3.32.3 (<https://nvd.nist.gov/vuln/detail/CVE-2020-15358>). Version 3.32.3 was released June 18.