Details of VAR-202005-0222

ID

VAR-202005-0222

CVE

CVE-2020-13630

TITLE

Sqlite Resource Management Error Vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202005-1349

DESCRIPTION

ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature. SQLite is an open source embedded relational database management system based on C language developed by American D.Richard Hipp software developer. The system has the characteristics of independence, isolation and cross-platform. A resource management error vulnerability exists in the 'snippet()' function of the ext/fts3/fts3.c file in versions prior to SQLite 3.32.0. An attacker could exploit this vulnerability with a specially crafted request to cause a denial of service. Bug Fix(es): * NVD feed fixed in Clair-v2 (clair-jwt image) 3. Solution: Download the release images via: quay.io/redhat/quay:v3.3.3 quay.io/redhat/clair-jwt:v3.3.3 quay.io/redhat/quay-builder:v3.3.3 quay.io/redhat/clair:v3.3.3 4. Bugs fixed (https://bugzilla.redhat.com/): 1905758 - CVE-2020-27831 quay: email notifications authorization bypass 1905784 - CVE-2020-27832 quay: persistent XSS in repository notification display 5. JIRA issues fixed (https://issues.jboss.org/): PROJQUAY-1124 - NVD feed is broken for latest Clair v2 version 6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2020-12-14-4 Additional information for APPLE-SA-2020-11-13-1 macOS Big Sur 11.0.1 macOS Big Sur 11.0.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT211931. AMD Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2020-27914: Yu Wang of Didi Research America CVE-2020-27915: Yu Wang of Didi Research America Entry added December 14, 2020 App Store Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to gain elevated privileges Description: This issue was addressed by removing the vulnerable code. CVE-2020-27903: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab Audio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-27910: JunDong Xie and XingWei Lin of Ant Security Light- Year Lab Audio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-27916: JunDong Xie of Ant Security Light-Year Lab Audio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9943: JunDong Xie of Ant Group Light-Year Security Lab Audio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9944: JunDong Xie of Ant Group Light-Year Security Lab Bluetooth Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause unexpected application termination or heap corruption Description: Multiple integer overflows were addressed with improved input validation. CVE-2020-27906: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab CoreAudio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-27908: JunDong Xie and XingWei Lin of Ant Security Light- Year Lab CVE-2020-27909: Anonymous working with Trend Micro Zero Day Initiative, JunDong Xie and XingWei Lin of Ant Security Light-Year Lab CVE-2020-9960: JunDong Xie and XingWei Lin of Ant Security Light-Year Lab Entry added December 14, 2020 CoreAudio Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-10017: Francis working with Trend Micro Zero Day Initiative, JunDong Xie of Ant Security Light-Year Lab CoreCapture Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed with improved memory management. CVE-2020-9949: Proteas CoreGraphics Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-9883: an anonymous researcher, Mickey Jin of Trend Micro Crash Reporter Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local attacker may be able to elevate their privileges Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. CVE-2020-10003: Tim Michaud (@TimGMichaud) of Leviathan CoreText Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A logic issue was addressed with improved state management. CVE-2020-27922: Mickey Jin of Trend Micro Entry added December 14, 2020 CoreText Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted text file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2020-9999: Apple Entry updated December 14, 2020 Disk Images Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9965: Proteas CVE-2020-9966: Proteas Finder Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Users may be unable to remove metadata indicating where files were downloaded from Description: The issue was addressed with additional user controls. CVE-2020-27894: Manuel Trezza of Shuggr (shuggr.com) FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A buffer overflow was addressed with improved size validation. CVE-2020-9962: Yiğit Can YILMAZ (@yilmazcanyigit) Entry added December 14, 2020 FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-27952: an anonymous researcher, Mickey Jin and Junzhi Lu of Trend Micro Entry added December 14, 2020 FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9956: Mickey Jin and Junzhi Lu of Trend Micro Mobile Security Research Team working with Trend Micro’s Zero Day Initiative Entry added December 14, 2020 FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed with improved input validation. CVE-2020-27931: Apple Entry added December 14, 2020 FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font may lead to arbitrary code execution. Apple is aware of reports that an exploit for this issue exists in the wild. Description: A memory corruption issue was addressed with improved input validation. CVE-2020-27930: Google Project Zero FontParser Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-27927: Xingwei Lin of Ant Security Light-Year Lab Foundation Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local user may be able to read arbitrary files Description: A logic issue was addressed with improved state management. CVE-2020-10002: James Hutchins HomeKit Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An attacker in a privileged network position may be able to unexpectedly alter application state Description: This issue was addressed with improved setting propagation. CVE-2020-9978: Luyi Xing, Dongfang Zhao, and Xiaofeng Wang of Indiana University Bloomington, Yan Jia of Xidian University and University of Chinese Academy of Sciences, and Bin Yuan of HuaZhong University of Science and Technology Entry added December 14, 2020 ImageIO Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9955: Mickey Jin of Trend Micro, Xingwei Lin of Ant Security Light-Year Lab Entry added December 14, 2020 ImageIO Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-27924: Lei Sun Entry added December 14, 2020 ImageIO Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-27912: Xingwei Lin of Ant Security Light-Year Lab CVE-2020-27923: Lei Sun Entry updated December 14, 2020 ImageIO Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9876: Mickey Jin of Trend Micro Intel Graphics Driver Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-10015: ABC Research s.r.o. working with Trend Micro Zero Day Initiative CVE-2020-27897: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc., and Luyi Xing of Indiana University Bloomington Entry added December 14, 2020 Intel Graphics Driver Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2020-27907: ABC Research s.r.o. working with Trend Micro Zero Day Initiative Entry added December 14, 2020 Image Processing Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2020-27919: Hou JingYi (@hjy79425575) of Qihoo 360 CERT, Xingwei Lin of Ant Security Light-Year Lab Entry added December 14, 2020 Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2020-9967: Alex Plaskett (@alexjplaskett) Entry added December 14, 2020 Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed with improved memory management. CVE-2020-9975: Tielei Wang of Pangu Lab Entry added December 14, 2020 Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved state handling. CVE-2020-27921: Linus Henze (pinauten.de) Entry added December 14, 2020 Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management. CVE-2020-27904: Zuozhi Fan (@pattern_F_) of Ant Group Tianqong Security Lab Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An attacker in a privileged network position may be able to inject into active connections within a VPN tunnel Description: A routing issue was addressed with improved restrictions. CVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R. Crandall Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to disclose kernel memory. Apple is aware of reports that an exploit for this issue exists in the wild. Description: A memory initialization issue was addressed. CVE-2020-27950: Google Project Zero Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to determine kernel memory layout Description: A logic issue was addressed with improved state management. CVE-2020-9974: Tommy Muir (@Muirey03) Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2020-10016: Alex Helie Kernel Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild. Description: A type confusion issue was addressed with improved state handling. CVE-2020-27932: Google Project Zero libxml2 Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing maliciously crafted web content may lead to code execution Description: A use after free issue was addressed with improved memory management. CVE-2020-27917: found by OSS-Fuzz CVE-2020-27920: found by OSS-Fuzz Entry updated December 14, 2020 libxml2 Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An integer overflow was addressed through improved input validation. CVE-2020-27911: found by OSS-Fuzz libxpc Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to elevate privileges Description: A logic issue was addressed with improved validation. CVE-2020-9971: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab Entry added December 14, 2020 libxpc Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to break out of its sandbox Description: A parsing issue in the handling of directory paths was addressed with improved path validation. CVE-2020-10014: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab Logging Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local attacker may be able to elevate their privileges Description: A path handling issue was addressed with improved validation. CVE-2020-10010: Tommy Muir (@Muirey03) Mail Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to unexpectedly alter application state Description: This issue was addressed with improved checks. CVE-2020-9941: Fabian Ising of FH Münster University of Applied Sciences and Damian Poddebniak of FH Münster University of Applied Sciences Messages Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local user may be able to discover a user’s deleted messages Description: The issue was addressed with improved deletion. CVE-2020-9988: William Breuer of the Netherlands CVE-2020-9989: von Brunn Media Model I/O Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-10011: Aleksandar Nikolic of Cisco Talos Entry added December 14, 2020 Model I/O Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-13524: Aleksandar Nikolic of Cisco Talos Model I/O Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution Description: A logic issue was addressed with improved state management. CVE-2020-10004: Aleksandar Nikolic of Cisco Talos NetworkExtension Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to elevate privileges Description: A use after free issue was addressed with improved memory management. CVE-2020-9996: Zhiwei Yuan of Trend Micro iCore Team, Junzhi Lu and Mickey Jin of Trend Micro NSRemoteView Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A logic issue was addressed with improved restrictions. CVE-2020-27901: Thijs Alkemade of Computest Research Division Entry added December 14, 2020 NSRemoteView Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to preview files it does not have access to Description: An issue existed in the handling of snapshots. The issue was resolved with improved permissions logic. CVE-2020-27900: Thijs Alkemade of Computest Research Division PCRE Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Multiple issues in pcre Description: Multiple issues were addressed by updating to version 8.44. CVE-2019-20838 CVE-2020-14155 Power Management Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to determine kernel memory layout Description: A logic issue was addressed with improved state management. CVE-2020-10007: singi@theori working with Trend Micro Zero Day Initiative python Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Cookies belonging to one origin may be sent to another origin Description: Multiple issues were addressed with improved logic. CVE-2020-27896: an anonymous researcher Quick Look Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious app may be able to determine the existence of files on the computer Description: The issue was addressed with improved handling of icon caches. CVE-2020-9963: Csaba Fitzl (@theevilbit) of Offensive Security Quick Look Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing a maliciously crafted document may lead to a cross site scripting attack Description: An access issue was addressed with improved access restrictions. CVE-2020-10012: Heige of KnownSec 404 Team (https://www.knownsec.com/) and Bo Qu of Palo Alto Networks (https://www.paloaltonetworks.com/) Ruby Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to modify the file system Description: A path handling issue was addressed with improved validation. CVE-2020-27896: an anonymous researcher Ruby Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: When parsing certain JSON documents, the json gem can be coerced into creating arbitrary objects in the target system Description: This issue was addressed with improved checks. CVE-2020-10663: Jeremy Evans Safari Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Visiting a malicious website may lead to address bar spoofing Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. CVE-2020-9945: Narendra Bhati From Suma Soft Pvt. Ltd. Pune (India) @imnarendrabhati Safari Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to determine a user's open tabs in Safari Description: A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement. CVE-2020-9977: Josh Parnham (@joshparnham) Safari Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Visiting a malicious website may lead to address bar spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2020-9942: an anonymous researcher, Rahul d Kankrale (servicenger.com), Rayyan Bijoora (@Bijoora) of The City School, PAF Chapter, Ruilin Yang of Tencent Security Xuanwu Lab, YoKo Kho (@YoKoAcc) of PT Telekomunikasi Indonesia (Persero) Tbk, Zhiyang Zeng(@Wester) of OPPO ZIWU Security Lab Sandbox Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local user may be able to view senstive user information Description: An access issue was addressed with additional sandbox restrictions. CVE-2020-9969: Wojciech Reguła of SecuRing (wojciechregula.blog) SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2020-9991 SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to leak memory Description: An information disclosure issue was addressed with improved state management. CVE-2020-9849 SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Multiple issues in SQLite Description: Multiple issues were addressed by updating SQLite to version 3.32.3. CVE-2020-15358 SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A maliciously crafted SQL query may lead to data corruption Description: This issue was addressed with improved checks. CVE-2020-13631 SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2020-13434 CVE-2020-13435 CVE-2020-9991 SQLite Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A remote attacker may be able to cause arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2020-13630 Symptom Framework Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A local attacker may be able to elevate their privileges Description: A use after free issue was addressed with improved memory management. CVE-2020-27899: 08Tc3wBB working with ZecOps Entry added December 14, 2020 System Preferences Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A logic issue was addressed with improved state management. CVE-2020-10009: Thijs Alkemade of Computest Research Division TCC Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application with root privileges may be able to access private information Description: A logic issue was addressed with improved restrictions. CVE-2020-10008: Wojciech Reguła of SecuRing (wojciechregula.blog) Entry added December 14, 2020 WebKit Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2020-27918: Liu Long of Ant Security Light-Year Lab Entry updated December 14, 2020 Wi-Fi Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: An attacker may be able to bypass Managed Frame Protection Description: A denial of service issue was addressed with improved state handling. CVE-2020-27898: Stephan Marais of University of Johannesburg Xsan Available for: Mac Pro (2013 and later), MacBook Air (2013 and later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later), iMac (2014 and later), MacBook (2015 and later), iMac Pro (all models) Impact: A malicious application may be able to access restricted files Description: This issue was addressed with improved entitlements. CVE-2020-10006: Wojciech Reguła (@_r3ggi) of SecuRing Additional recognition 802.1X We would like to acknowledge Kenana Dalle of Hamad bin Khalifa University and Ryan Riley of Carnegie Mellon University in Qatar for their assistance. Entry added December 14, 2020 Audio We would like to acknowledge JunDong Xie and XingWei Lin of Ant- financial Light-Year Security Lab, an anonymous researcher for their assistance. Bluetooth We would like to acknowledge Andy Davis of NCC Group, Dennis Heinze (@ttdennis) of TU Darmstadt, Secure Mobile Networking Lab for their assistance. Entry updated December 14, 2020 Clang We would like to acknowledge Brandon Azad of Google Project Zero for their assistance. Core Location We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance. Crash Reporter We would like to acknowledge Artur Byszko of AFINE for their assistance. Entry added December 14, 2020 Directory Utility We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing for their assistance. iAP We would like to acknowledge Andy Davis of NCC Group for their assistance. Kernel We would like to acknowledge Brandon Azad of Google Project Zero, Stephen Röttger of Google for their assistance. libxml2 We would like to acknowledge an anonymous researcher for their assistance. Entry added December 14, 2020 Login Window We would like to acknowledge Rob Morton of Leidos for their assistance. Photos Storage We would like to acknowledge Paulos Yibelo of LimeHats for their assistance. Quick Look We would like to acknowledge Csaba Fitzl (@theevilbit) and Wojciech Reguła of SecuRing (wojciechregula.blog) for their assistance. Safari We would like to acknowledge Gabriel Corona and Narendra Bhati From Suma Soft Pvt. Ltd. Pune (India) @imnarendrabhati for their assistance. Security We would like to acknowledge Christian Starkjohann of Objective Development Software GmbH for their assistance. System Preferences We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl/YDPwACgkQZcsbuWJ6 jjANmhAAoj+ZHNnH2pGDFl2/jrAtvWBtXg8mqw6NtNbGqWDZFhnY5q7Lp8WTx/Pi x64A4F8bU5xcybnmaDpK5PMwAAIiAg4g1BhpOq3pGyeHEasNx7D9damfqFGKiivS p8nl62XE74ayfxdZGa+2tOVFTFwqixfr0aALVoQUhAWNeYuvVSgJXlgdGjj+QSL+ 9vW86kbQypOqT5TPDg6tpJy3g5s4hotkfzCfxA9mIKOg5e/nnoRNhw0c1dzfeTRO INzGxnajKGGYy2C3MH6t0cKG0B6cH7aePZCHYJ1jmuAVd0SD3PfmoT76DeRGC4Ri c8fGD+5pvSF6/+5E+MbH3t3D6bLiCGRFJtYNMpr46gUKKt27EonSiheYCP9xR6lU ChpYdcgHMOHX4a07/Oo8vEwQrtJ4JryhI9tfBel1ewdSoxk2iCFKzLLYkDMihD6B 1x/9MlaqEpLYBnuKkrRzFINW23TzFPTI/+i2SbUscRQtK0qE7Up5C+IUkRvBGhEs MuEmEnn5spnVG2EBcKeLtJxtf/h5WaRFrev72EvSVR+Ko8Cj0MgK6IATu6saq8bV kURL5empvpexFAvVQWRDaLgGBHKM+uArBz2OP6t7wFvD2p1Vq5M+dMrEPna1JO/S AXZYC9Y9bBRZfYQAv7nxa+uIXy2rGTuQKQY8ldu4eEHtJ0OhaB8= =T5Y8 -----END PGP SIGNATURE----- . Bug Fix(es): * Configuring the system with non-RT kernel will hang the system (BZ#1923220) 3. Bugs fixed (https://bugzilla.redhat.com/): 1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service 5. JIRA issues fixed (https://issues.jboss.org/): CNF-802 - Infrastructure-provided enablement/disablement of interrupt processing for guaranteed pod CPUs CNF-854 - Performance tests in CNF Tests 6. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202007-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SQLite: Multiple vulnerabilities Date: July 27, 2020 Bugs: #716748 ID: 202007-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been found in SQLite, the worst of which could result in the arbitrary execution of code. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-db/sqlite < 3.32.3 >= 3.32.3 Description ========== Multiple vulnerabilities have been discovered in SQLite. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All SQLite users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">\xdev-db/sqlite-3.32.3" References ========= [ 1 ] CVE-2019-20218 https://nvd.nist.gov/vuln/detail/CVE-2019-20218 [ 2 ] CVE-2020-11655 https://nvd.nist.gov/vuln/detail/CVE-2020-11655 [ 3 ] CVE-2020-11656 https://nvd.nist.gov/vuln/detail/CVE-2020-11656 [ 4 ] CVE-2020-13434 https://nvd.nist.gov/vuln/detail/CVE-2020-13434 [ 5 ] CVE-2020-13435 https://nvd.nist.gov/vuln/detail/CVE-2020-13435 [ 6 ] CVE-2020-13630 https://nvd.nist.gov/vuln/detail/CVE-2020-13630 [ 7 ] CVE-2020-13631 https://nvd.nist.gov/vuln/detail/CVE-2020-13631 [ 8 ] CVE-2020-13632 https://nvd.nist.gov/vuln/detail/CVE-2020-13632 [ 9 ] CVE-2020-13871 https://nvd.nist.gov/vuln/detail/CVE-2020-13871 [ 10 ] CVE-2020-15358 https://nvd.nist.gov/vuln/detail/CVE-2020-15358 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202007-26 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . Bug Fix(es): * Aggregator pod tries to parse ConfigMaps without results (BZ#1899479) * The compliancesuite object returns error with ocp4-cis tailored profile (BZ#1902251) * The compliancesuite does not trigger when there are multiple rhcos4 profiles added in scansettingbinding object (BZ#1902634) * [OCP v46] Not all remediations get applied through machineConfig although the status of all rules shows Applied in ComplianceRemediations object (BZ#1907414) * The profile parser pod deployment and associated profiles should get removed after upgrade the compliance operator (BZ#1908991) * Applying the "rhcos4-moderate" compliance profile leads to Ignition error "something else exists at that path" (BZ#1909081) * [OCP v46] Always update the default profilebundles on Compliance operator startup (BZ#1909122) 3. Bugs fixed (https://bugzilla.redhat.com/): 1899479 - Aggregator pod tries to parse ConfigMaps without results 1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service 1902251 - The compliancesuite object returns error with ocp4-cis tailored profile 1902634 - The compliancesuite does not trigger when there are multiple rhcos4 profiles added in scansettingbinding object 1907414 - [OCP v46] Not all remediations get applied through machineConfig although the status of all rules shows Applied in ComplianceRemediations object 1908991 - The profile parser pod deployment and associated profiles should get removed after upgrade the compliance operator 1909081 - Applying the "rhcos4-moderate" compliance profile leads to Ignition error "something else exists at that path" 1909122 - [OCP v46] Always update the default profilebundles on Compliance operator startup 5. Assets Available for: Apple TV 4K and Apple TV HD Impact: An attacker may be able to misuse a trust relationship to download malicious content Description: A trust issue was addressed by removing a legacy API. CVE-2020-9976: Rias A. Entry added November 12, 2020 Installation note: Apple TV will periodically check for software updates. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration (CVE-2020-24750) * gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121) * golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHEA-2020:5633 All OpenShift Container Platform users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor. Solution: For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - -cli.html. Bugs fixed (https://bugzilla.redhat.com/): 1823765 - nfd-workers crash under an ipv6 environment 1838802 - mysql8 connector from operatorhub does not work with metering operator 1838845 - Metering operator can't connect to postgres DB from Operator Hub 1841883 - namespace-persistentvolumeclaim-usage query returns unexpected values 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash 1868294 - NFD operator does not allow customisation of nfd-worker.conf 1882310 - CVE-2020-24750 jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration 1890672 - NFD is missing a build flag to build correctly 1890741 - path to the CA trust bundle ConfigMap is broken in report operator 1897346 - NFD worker pods not scheduler on a 3 node master/worker cluster 1898373 - Metering operator failing upgrade from 4.4 to 4.6 channel 1900125 - FIPS error while generating RSA private key for CA 1906129 - OCP 4.7: Node Feature Discovery (NFD) Operator in CrashLoopBackOff when deployed from OperatorHub 1908492 - OCP 4.7: Node Feature Discovery (NFD) Operator Custom Resource Definition file in olm-catalog is not in sync with the one in manifests dir leading to failed deployment from OperatorHub 1913837 - The CI and ART 4.7 metering images are not mirrored 1914869 - OCP 4.7 NFD - Operand configuration options for NodeFeatureDiscovery are empty, no supported image for ppc64le 1916010 - olm skip range is set to the wrong range 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1923998 - NFD Operator is failing to update and remains in Replacing state 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: sqlite security update Advisory ID: RHSA-2020:4442-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4442 Issue date: 2020-11-03 CVE Names: CVE-2019-5018 CVE-2019-16168 CVE-2019-20218 CVE-2020-6405 CVE-2020-9327 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 ==================================================================== 1. Summary: An update for sqlite is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database without the administrative hassles of supporting a separate database server. Security Fix(es): * sqlite: Use-after-free in window function leading to remote code execution (CVE-2019-5018) * sqlite: Division by zero in whereLoopAddBtreeIndex in sqlite3.c (CVE-2019-16168) * sqlite: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (CVE-2019-20218) * sqlite: Out-of-bounds read in SELECT with ON/USING clause (CVE-2020-6405) * sqlite: NULL pointer dereference and segmentation fault because of generated column optimizations (CVE-2020-9327) * sqlite: Use-after-free in fts3EvalNextRow in ext/fts3/fts3.c (CVE-2020-13630) * sqlite: Virtual table can be renamed into the name of one of its shadow tables (CVE-2020-13631) * sqlite: NULL pointer dereference in ext/fts3/fts3_snippet.c via a crafted matchinfo() query (CVE-2020-13632) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1708301 - CVE-2019-5018 sqlite: Use-after-free in window function leading to remote code execution 1768986 - CVE-2019-16168 sqlite: Division by zero in whereLoopAddBtreeIndex in sqlite3.c 1791313 - CVE-2019-20218 sqlite: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error 1801181 - CVE-2020-6405 sqlite: Out-of-bounds read in SELECT with ON/USING clause 1809315 - CVE-2020-9327 sqlite: NULL pointer dereference and segmentation fault because of generated column optimizations 1841562 - CVE-2020-13630 sqlite: Use-after-free in fts3EvalNextRow in ext/fts3/fts3.c 1841568 - CVE-2020-13631 sqlite: Virtual table can be renamed into the name of one of its shadow tables 1841574 - CVE-2020-13632 sqlite: NULL pointer dereference in ext/fts3/fts3_snippet.c via a crafted matchinfo() query 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): aarch64: lemon-3.26.0-11.el8.aarch64.rpm lemon-debuginfo-3.26.0-11.el8.aarch64.rpm sqlite-analyzer-debuginfo-3.26.0-11.el8.aarch64.rpm sqlite-debuginfo-3.26.0-11.el8.aarch64.rpm sqlite-debugsource-3.26.0-11.el8.aarch64.rpm sqlite-libs-debuginfo-3.26.0-11.el8.aarch64.rpm sqlite-tcl-debuginfo-3.26.0-11.el8.aarch64.rpm ppc64le: lemon-3.26.0-11.el8.ppc64le.rpm lemon-debuginfo-3.26.0-11.el8.ppc64le.rpm sqlite-analyzer-debuginfo-3.26.0-11.el8.ppc64le.rpm sqlite-debuginfo-3.26.0-11.el8.ppc64le.rpm sqlite-debugsource-3.26.0-11.el8.ppc64le.rpm sqlite-libs-debuginfo-3.26.0-11.el8.ppc64le.rpm sqlite-tcl-debuginfo-3.26.0-11.el8.ppc64le.rpm s390x: lemon-3.26.0-11.el8.s390x.rpm lemon-debuginfo-3.26.0-11.el8.s390x.rpm sqlite-analyzer-debuginfo-3.26.0-11.el8.s390x.rpm sqlite-debuginfo-3.26.0-11.el8.s390x.rpm sqlite-debugsource-3.26.0-11.el8.s390x.rpm sqlite-libs-debuginfo-3.26.0-11.el8.s390x.rpm sqlite-tcl-debuginfo-3.26.0-11.el8.s390x.rpm x86_64: lemon-3.26.0-11.el8.x86_64.rpm lemon-debuginfo-3.26.0-11.el8.x86_64.rpm sqlite-analyzer-debuginfo-3.26.0-11.el8.x86_64.rpm sqlite-debuginfo-3.26.0-11.el8.x86_64.rpm sqlite-debugsource-3.26.0-11.el8.x86_64.rpm sqlite-libs-debuginfo-3.26.0-11.el8.x86_64.rpm sqlite-tcl-debuginfo-3.26.0-11.el8.x86_64.rpm Red Hat Enterprise Linux BaseOS (v. 8): Source: sqlite-3.26.0-11.el8.src.rpm aarch64: lemon-debuginfo-3.26.0-11.el8.aarch64.rpm sqlite-3.26.0-11.el8.aarch64.rpm sqlite-analyzer-debuginfo-3.26.0-11.el8.aarch64.rpm sqlite-debuginfo-3.26.0-11.el8.aarch64.rpm sqlite-debugsource-3.26.0-11.el8.aarch64.rpm sqlite-devel-3.26.0-11.el8.aarch64.rpm sqlite-libs-3.26.0-11.el8.aarch64.rpm sqlite-libs-debuginfo-3.26.0-11.el8.aarch64.rpm sqlite-tcl-debuginfo-3.26.0-11.el8.aarch64.rpm noarch: sqlite-doc-3.26.0-11.el8.noarch.rpm ppc64le: lemon-debuginfo-3.26.0-11.el8.ppc64le.rpm sqlite-3.26.0-11.el8.ppc64le.rpm sqlite-analyzer-debuginfo-3.26.0-11.el8.ppc64le.rpm sqlite-debuginfo-3.26.0-11.el8.ppc64le.rpm sqlite-debugsource-3.26.0-11.el8.ppc64le.rpm sqlite-devel-3.26.0-11.el8.ppc64le.rpm sqlite-libs-3.26.0-11.el8.ppc64le.rpm sqlite-libs-debuginfo-3.26.0-11.el8.ppc64le.rpm sqlite-tcl-debuginfo-3.26.0-11.el8.ppc64le.rpm s390x: lemon-debuginfo-3.26.0-11.el8.s390x.rpm sqlite-3.26.0-11.el8.s390x.rpm sqlite-analyzer-debuginfo-3.26.0-11.el8.s390x.rpm sqlite-debuginfo-3.26.0-11.el8.s390x.rpm sqlite-debugsource-3.26.0-11.el8.s390x.rpm sqlite-devel-3.26.0-11.el8.s390x.rpm sqlite-libs-3.26.0-11.el8.s390x.rpm sqlite-libs-debuginfo-3.26.0-11.el8.s390x.rpm sqlite-tcl-debuginfo-3.26.0-11.el8.s390x.rpm x86_64: lemon-debuginfo-3.26.0-11.el8.i686.rpm lemon-debuginfo-3.26.0-11.el8.x86_64.rpm sqlite-3.26.0-11.el8.i686.rpm sqlite-3.26.0-11.el8.x86_64.rpm sqlite-analyzer-debuginfo-3.26.0-11.el8.i686.rpm sqlite-analyzer-debuginfo-3.26.0-11.el8.x86_64.rpm sqlite-debuginfo-3.26.0-11.el8.i686.rpm sqlite-debuginfo-3.26.0-11.el8.x86_64.rpm sqlite-debugsource-3.26.0-11.el8.i686.rpm sqlite-debugsource-3.26.0-11.el8.x86_64.rpm sqlite-devel-3.26.0-11.el8.i686.rpm sqlite-devel-3.26.0-11.el8.x86_64.rpm sqlite-libs-3.26.0-11.el8.i686.rpm sqlite-libs-3.26.0-11.el8.x86_64.rpm sqlite-libs-debuginfo-3.26.0-11.el8.i686.rpm sqlite-libs-debuginfo-3.26.0-11.el8.x86_64.rpm sqlite-tcl-debuginfo-3.26.0-11.el8.i686.rpm sqlite-tcl-debuginfo-3.26.0-11.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-5018 https://access.redhat.com/security/cve/CVE-2019-16168 https://access.redhat.com/security/cve/CVE-2019-20218 https://access.redhat.com/security/cve/CVE-2020-6405 https://access.redhat.com/security/cve/CVE-2020-9327 https://access.redhat.com/security/cve/CVE-2020-13630 https://access.redhat.com/security/cve/CVE-2020-13631 https://access.redhat.com/security/cve/CVE-2020-13632 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc

Trust: 1.71

sources: NVD: CVE-2020-13630 // VULHUB: VHN-166428 // PACKETSTORM: 160889 // PACKETSTORM: 160545 // PACKETSTORM: 161548 // PACKETSTORM: 158592 // PACKETSTORM: 161016 // PACKETSTORM: 160062 // PACKETSTORM: 161536 // PACKETSTORM: 159817

AFFECTED PRODUCTS

vendor:	oracle	model:	communications network charging and control	scope:	lte	version:	12.0.3	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	apple	model:	ipados	scope:	lt	version:	14.0	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	18.04	Trust: 1.0
vendor:	siemens	model:	sinec infrastructure network services	scope:	lt	version:	1.0.1.1	Trust: 1.0
vendor:	apple	model:	iphone os	scope:	lt	version:	14.0	Trust: 1.0
vendor:	oracle	model:	zfs storage appliance kit	scope:	eq	version:	8.8	Trust: 1.0
vendor:	oracle	model:	outside in technology	scope:	eq	version:	8.5.5	Trust: 1.0
vendor:	brocade	model:	fabric operating system	scope:	eq	version:	-	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	16.04	Trust: 1.0
vendor:	apple	model:	icloud	scope:	lt	version:	11.5	Trust: 1.0
vendor:	netapp	model:	hci compute node	scope:	eq	version:	-	Trust: 1.0
vendor:	apple	model:	itunes	scope:	lt	version:	12.10.9	Trust: 1.0
vendor:	oracle	model:	communications network charging and control	scope:	eq	version:	6.0.1	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	20.04	Trust: 1.0
vendor:	sqlite	model:	sqlite	scope:	lt	version:	3.32.0	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	19.10	Trust: 1.0
vendor:	apple	model:	tvos	scope:	lt	version:	14.0	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	32	Trust: 1.0
vendor:	apple	model:	watchos	scope:	lt	version:	7.0	Trust: 1.0
vendor:	netapp	model:	cloud backup	scope:	eq	version:	-	Trust: 1.0
vendor:	apple	model:	macos	scope:	lt	version:	11.0.1	Trust: 1.0
vendor:	oracle	model:	outside in technology	scope:	eq	version:	8.5.4	Trust: 1.0
vendor:	netapp	model:	solidfire\, enterprise sds \& hci storage node	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	communications network charging and control	scope:	gte	version:	12.0.0	Trust: 1.0

sources: NVD: CVE-2020-13630

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-13630
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202005-1349
value:	HIGH
Trust: 0.6
VULHUB:	VHN-166428
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-13630
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-166428
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-13630
baseSeverity:	HIGH
baseScore:	7.0
vectorString:	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.0
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-166428 // CNNVD: CNNVD-202005-1349 // NVD: CVE-2020-13630

PROBLEMTYPE DATA

problemtype:

CWE-416

Trust: 1.1

sources: VULHUB: VHN-166428 // NVD: CVE-2020-13630

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202005-1349

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202005-1349

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-166428

PATCH

title:

SQLite Remediation of resource management error vulnerabilities

url:

http://123.124.177.30/web/xxk/bdxqById.tag?id=121033

Trust: 0.6

sources: CNNVD: CNNVD-202005-1349

EXTERNAL IDS

db:	NVD	id:	CVE-2020-13630	Trust: 2.5
db:	SIEMENS	id:	SSA-389290	Trust: 1.7
db:	PACKETSTORM	id:	161548	Trust: 0.8
db:	PACKETSTORM	id:	159817	Trust: 0.8
db:	PACKETSTORM	id:	158592	Trust: 0.8
db:	PACKETSTORM	id:	160545	Trust: 0.8
db:	PACKETSTORM	id:	162659	Trust: 0.7
db:	PACKETSTORM	id:	160961	Trust: 0.7
db:	PACKETSTORM	id:	160125	Trust: 0.7
db:	PACKETSTORM	id:	160061	Trust: 0.7
db:	CNNVD	id:	CNNVD-202005-1349	Trust: 0.7
db:	PACKETSTORM	id:	158024	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0584	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3181.2	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2412	Trust: 0.6
db:	AUSCERT	id:	ESB-2023.3732	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.2019	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0691	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.4513	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.4100	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1727	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.4060.2	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2515	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0234	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0171	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1679	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3221	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0099	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0864	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3884	Trust: 0.6
db:	CS-HELP	id:	SB2022071831	Trust: 0.6
db:	CS-HELP	id:	SB2022031104	Trust: 0.6
db:	CS-HELP	id:	SB2021052221	Trust: 0.6
db:	CS-HELP	id:	SB2021072292	Trust: 0.6
db:	CS-HELP	id:	SB2022060618	Trust: 0.6
db:	NSFOCUS	id:	46788	Trust: 0.6
db:	LENOVO	id:	LEN-60182	Trust: 0.6
db:	PACKETSTORM	id:	160062	Trust: 0.2
db:	PACKETSTORM	id:	162694	Trust: 0.1
db:	PACKETSTORM	id:	160064	Trust: 0.1
db:	CNVD	id:	CNVD-2020-31117	Trust: 0.1
db:	VULHUB	id:	VHN-166428	Trust: 0.1
db:	PACKETSTORM	id:	160889	Trust: 0.1
db:	PACKETSTORM	id:	161016	Trust: 0.1
db:	PACKETSTORM	id:	161536	Trust: 0.1

sources: VULHUB: VHN-166428 // PACKETSTORM: 160889 // PACKETSTORM: 160545 // PACKETSTORM: 161548 // PACKETSTORM: 158592 // PACKETSTORM: 161016 // PACKETSTORM: 160062 // PACKETSTORM: 161536 // PACKETSTORM: 159817 // CNNVD: CNNVD-202005-1349 // NVD: CVE-2020-13630

REFERENCES

url:	https://security.gentoo.org/glsa/202007-26	Trust: 1.8
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	Trust: 1.7
url:	https://support.apple.com/kb/ht211843	Trust: 1.7
url:	https://support.apple.com/kb/ht211844	Trust: 1.7
url:	https://support.apple.com/kb/ht211850	Trust: 1.7
url:	https://support.apple.com/kb/ht211931	Trust: 1.7
url:	https://support.apple.com/kb/ht211935	Trust: 1.7
url:	https://support.apple.com/kb/ht211952	Trust: 1.7
url:	https://security.netapp.com/advisory/ntap-20200608-0002/	Trust: 1.7
url:	https://security.freebsd.org/advisories/freebsd-sa-20:22.sqlite.asc	Trust: 1.7
url:	http://seclists.org/fulldisclosure/2020/nov/20	Trust: 1.7
url:	http://seclists.org/fulldisclosure/2020/nov/19	Trust: 1.7
url:	http://seclists.org/fulldisclosure/2020/nov/22	Trust: 1.7
url:	http://seclists.org/fulldisclosure/2020/dec/32	Trust: 1.7
url:	https://bugs.chromium.org/p/chromium/issues/detail?id=1080459	Trust: 1.7
url:	https://sqlite.org/src/info/0d69f76f0865f962	Trust: 1.7
url:	https://www.oracle.com/security-alerts/cpujul2020.html	Trust: 1.7
url:	https://www.oracle.com/security-alerts/cpuoct2020.html	Trust: 1.7
url:	https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html	Trust: 1.7
url:	https://usn.ubuntu.com/4394-1/	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13630	Trust: 1.1
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/l7kxqwhiy2mqp4lnm6odwjenmxyyqybn/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/l7kxqwhiy2mqp4lnm6odwjenmxyyqybn/	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20218	Trust: 0.6
url:	https://packetstormsecurity.com/files/160125/red-hat-security-advisory-2020-5149-01.html	Trust: 0.6
url:	https://packetstormsecurity.com/files/160961/red-hat-security-advisory-2021-0146-01.html	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-affected-by-multiple-vulnerabilities-3/	Trust: 0.6
url:	https://support.lenovo.com/us/en/product_security/len-60182	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/46788	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2515	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1727	Trust: 0.6
url:	https://support.apple.com/en-us/ht211844	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.4513/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0234/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2019/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0584	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3884/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.4060.2/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022071831	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0171/	Trust: 0.6
url:	https://support.apple.com/en-us/ht211935	Trust: 0.6
url:	https://packetstormsecurity.com/files/162659/red-hat-security-advisory-2021-1968-01.html	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021072292	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0864	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1679	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2023.3732	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022060618	Trust: 0.6
url:	https://packetstormsecurity.com/files/158024/ubuntu-security-notice-usn-4394-1.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.4100/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021052221	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0691	Trust: 0.6
url:	https://packetstormsecurity.com/files/160545/apple-security-advisory-2020-12-14-4.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.3221	Trust: 0.6
url:	https://packetstormsecurity.com/files/158592/gentoo-linux-security-advisory-202007-26.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2412	Trust: 0.6
url:	https://packetstormsecurity.com/files/159817/red-hat-security-advisory-2020-4442-01.html	Trust: 0.6
url:	https://packetstormsecurity.com/files/160061/apple-security-advisory-2020-11-13-3.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0099/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/sqlite-three-vulnerabilities-32354	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-wml-ce-wml-ce-sqlite-through-3-32-0-has-various-security-issues/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3181.2/	Trust: 0.6
url:	https://packetstormsecurity.com/files/161548/red-hat-security-advisory-2020-5364-01.html	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022031104	Trust: 0.6
url:	https://access.redhat.com/security/cve/cve-2019-20218	Trust: 0.5
url:	https://bugzilla.redhat.com/):	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-5018	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2019-16168	Trust: 0.5
url:	https://access.redhat.com/security/team/contact/	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-9327	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2019-5018	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-6405	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16168	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-13632	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-13630	Trust: 0.5
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-13631	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13631	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2019-20907	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-13050	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-20388	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-15165	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-14382	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-1971	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20454	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-19221	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20907	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-1751	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-19906	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-7595	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-24659	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-19956	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-16935	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-20916	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-19956	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-14422	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14889	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-1730	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-19906	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20387	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-20387	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-13627	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20916	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-1752	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-19221	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-15903	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15165	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16935	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-8492	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-20454	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2018-20843	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-13627	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-13050	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2019-14889	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2018-20843	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20388	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-10029	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15903	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-9925	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-9802	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-9895	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8625	Trust: 0.3
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8812	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-3899	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8819	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-3867	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8720	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-9893	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8808	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-3902	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-3900	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8743	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-9805	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8820	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-9807	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8769	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8710	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8813	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-9850	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8710	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8811	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-9803	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-9862	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-3885	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-15503	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20807	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-10018	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8835	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8764	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8844	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-3865	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-3864	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-14391	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-3862	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-3901	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8823	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-3895	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-11793	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8720	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-9894	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8816	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-9843	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8771	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-3897	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-9806	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8814	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8743	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-9915	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8815	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8625	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8783	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-20807	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8766	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-3868	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8846	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2020-3894	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-8782	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13434	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13435	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-15358	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17450	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2019-17450	Trust: 0.3
url:	https://issues.jboss.org/):	Trust: 0.2
url:	https://www.apple.com/support/security/pgp/	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-25211	Trust: 0.2
url:	https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel	Trust: 0.2
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2020-27813	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13632	Trust: 0.2
url:	https://access.redhat.com/errata/rhsa-2021:0050	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8771	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-27831	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8769	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-27832	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8764	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-8766	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10014	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13524	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14155	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10016	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10011	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10015	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10017	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27894	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27896	Trust: 0.1
url:	https://support.apple.com/ht211931.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14899	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10003	Trust: 0.1
url:	https://www.knownsec.com/)	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10009	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10004	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10008	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-20838	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10002	Trust: 0.1
url:	https://www.paloaltonetworks.com/)	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10010	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10012	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10663	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10006	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10007	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-10726	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10723	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10725	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-10723	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-10725	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10722	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-10722	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10029	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10726	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:5364	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:5633	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11655	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11656	Trust: 0.1
url:	https://creativecommons.org/licenses/by-sa/2.5	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13871	Trust: 0.1
url:	https://security.gentoo.org/	Trust: 0.1
url:	https://bugs.gentoo.org.	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:0190	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11068	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-18197	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-18197	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-8177	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-1551	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1551	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.6/updating/updating-cluster	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-11068	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9983	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9981	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9961	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9951	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9947	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9991	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9976	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9944	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9954	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9968	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9943	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9965	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9966	Trust: 0.1
url:	https://support.apple.com/ht211843.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9969	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9876	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10013	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9949	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9849	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9950	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9952	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9979	Trust: 0.1
url:	https://access.redhat.com/errata/rhea-2020:5633	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-8624	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.7/updating/updating-cluster	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-13225	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-8623	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-8566	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:5635	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-15157	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-25658	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-15999	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-17546	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-3884	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3884	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-8622	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-13225	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-3121	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-17546	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-14040	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-24750	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-8619	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-3898	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/	Trust: 0.1
url:	https://access.redhat.com/articles/11258	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6405	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9327	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:4442	Trust: 0.1
url:	https://access.redhat.com/security/team/key/	Trust: 0.1

CREDITS

Red Hat

Trust: 1.1

sources: PACKETSTORM: 160889 // PACKETSTORM: 161548 // PACKETSTORM: 161016 // PACKETSTORM: 161536 // PACKETSTORM: 159817 // CNNVD: CNNVD-202005-1349

SOURCES

db:	VULHUB	id:	VHN-166428
db:	PACKETSTORM	id:	160889
db:	PACKETSTORM	id:	160545
db:	PACKETSTORM	id:	161548
db:	PACKETSTORM	id:	158592
db:	PACKETSTORM	id:	161016
db:	PACKETSTORM	id:	160062
db:	PACKETSTORM	id:	161536
db:	PACKETSTORM	id:	159817
db:	CNNVD	id:	CNNVD-202005-1349
db:	NVD	id:	CVE-2020-13630

LAST UPDATE DATE

2026-03-30T22:51:56.331000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-166428	date:	2022-05-13T00:00:00
db:	CNNVD	id:	CNNVD-202005-1349	date:	2023-06-30T00:00:00
db:	NVD	id:	CVE-2020-13630	date:	2024-11-21T05:01:38.010

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-166428	date:	2020-05-27T00:00:00
db:	PACKETSTORM	id:	160889	date:	2021-01-11T16:29:48
db:	PACKETSTORM	id:	160545	date:	2020-12-16T18:05:29
db:	PACKETSTORM	id:	161548	date:	2021-02-25T15:30:03
db:	PACKETSTORM	id:	158592	date:	2020-07-27T18:32:44
db:	PACKETSTORM	id:	161016	date:	2021-01-19T14:45:45
db:	PACKETSTORM	id:	160062	date:	2020-11-13T22:22:22
db:	PACKETSTORM	id:	161536	date:	2021-02-25T15:26:54
db:	PACKETSTORM	id:	159817	date:	2020-11-04T15:24:09
db:	CNNVD	id:	CNNVD-202005-1349	date:	2020-05-27T00:00:00
db:	NVD	id:	CVE-2020-13630	date:	2020-05-27T15:15:12.867