{
  "threat_severity" : "Moderate",
  "public_date" : "2020-06-15T00:00:00Z",
  "bugzilla" : {
    "description" : "sqlite: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization in select.c",
    "id" : "1851957",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1851957"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-122",
  "details" : [ "In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.", "A heap buffer overflow was found in SQLite in the query flattening optimization technique. This flaw allows an attacker to execute SQL statements to crash the application, resulting in a denial of service." ],
  "statement" : "This flaw did not affect the versions of SQLite as shipped with Red Hat Enterprise Linux 7 as they did not include support for the WHERE-clause constant propagation optimization. This optimization was introduced in a later version of the package (3.25.0).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-05-18T00:00:00Z",
    "advisory" : "RHSA-2021:1581",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "sqlite-0:3.26.0-13.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-05-18T00:00:00Z",
    "advisory" : "RHSA-2021:1581",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "sqlite-0:3.26.0-13.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "sqlite",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "sqlite",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "sqlite",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-15358\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-15358" ],
  "name" : "CVE-2020-15358",
  "csaw" : false
}