SQLite Forum

Please fix CVE-2020-15358

Please fix CVE-2020-15358

(1) By Aaron (AceHack) on 2020-07-30 20:04:03 [link] [source]

package package_version cve severity cvss
sqlite 3.32.1-r0 CVE-2020-15358 medium 5.5

Our security team is trying to block us from using sqlite because of this.

(2) By Stephan Beal (stephan) on 2020-07-30 20:28:05 in reply to 1 [link] [source]

Please fix CVE-2020-15358

Please see /forumpost/247d4d7888 and the following posts for an explanation about why the sqlite team does not track CVEs.

(3) By Richard Hipp (drh) on 2020-07-30 20:41:01 in reply to 1 [link] [source]


  1. That CVE is fake news. It only applies if you are allowing malicious agents to inject arbitrary SQL into your application. And even then, the worst known outcome is denial of service. See [1] for more information about CVEs and SQLite.

  2. The bug that the CVE is based on was fixed in SQLite version 3.32.3.

  3. Relying on CVEs and believing the information you read in CVEs is not an effective security policy.

[1] https://www.sqlite.org/cves.html

(5) By Stephan Beal (stephan) on 2020-07-30 20:45:42 in reply to 3 [source]

That CVE is fake news

The next time i manage a ticket database, "fake news" will be added as one of the ticket resolution options.

(4) By Peter Kolbus (pkolbus) on 2020-07-30 20:42:45 in reply to 1 [link] [source]

Aside from what stephan has already said, NVD indicates this is particular CVE is applicable to versions prior to 3.32.3 (https://nvd.nist.gov/vuln/detail/CVE-2020-15358). Version 3.32.3 was released June 18.