Login Sign Up

CVE-2020-11656

9.8 CRITICAL
Denial of Service

📋 TL;DR

This CVE describes a use-after-free vulnerability in SQLite's ALTER TABLE implementation when used with ORDER BY clauses in compound SELECT statements. Attackers can exploit this to execute arbitrary code or cause denial of service. Any application using vulnerable SQLite versions is affected.

💻 Affected Systems

Products:
  • SQLite
  • Applications embedding SQLite
  • Siemens products
  • FreeBSD
  • Gentoo Linux
  • NetApp products
  • Oracle products
Versions: SQLite through 3.31.1
Operating Systems: All operating systems running vulnerable SQLite versions
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using SQLite with ALTER TABLE and compound SELECT statements is vulnerable. The vulnerability is in the SQLite library itself.

📦 What is this software?

Communications Messaging Server by Oracle

View all CVEs affecting Communications Messaging Server →

Communications Network Charging And Control by Oracle

View all CVEs affecting Communications Network Charging And Control →

Communications Network Charging And Control by Oracle

View all CVEs affecting Communications Network Charging And Control →

Communications Network Charging And Control by Oracle

View all CVEs affecting Communications Network Charging And Control →

Enterprise Manager Ops Center by Oracle

View all CVEs affecting Enterprise Manager Ops Center →

Hyperion Infrastructure Technology by Oracle

View all CVEs affecting Hyperion Infrastructure Technology →

Mysql by Oracle

View all CVEs affecting Mysql →

Mysql Workbench by Oracle

View all CVEs affecting Mysql Workbench →

Ontap Select Deploy Administration Utility by Netapp

View all CVEs affecting Ontap Select Deploy Administration Utility →

Outside In Technology by Oracle

View all CVEs affecting Outside In Technology →

Outside In Technology by Oracle

View all CVEs affecting Outside In Technology →

Sinec Infrastructure Network Services by Siemens

View all CVEs affecting Sinec Infrastructure Network Services →

Sqlite by Sqlite

View all CVEs affecting Sqlite →

Tenable.sc by Tenable

View all CVEs affecting Tenable.sc →

Zfs Storage Appliance Kit by Oracle

View all CVEs affecting Zfs Storage Appliance Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash causing denial of service, potentially with memory corruption that could lead to information disclosure.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing prevent malicious SQL execution.

🌐 Internet-Facing: HIGH - SQLite is embedded in many web applications and services that could be exposed to crafted SQL queries.
🏢 Internal Only: MEDIUM - Internal applications using SQLite could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires the ability to execute SQL queries against a vulnerable SQLite instance. The vulnerability is in SQL parsing/execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SQLite 3.32.0 and later

Vendor Advisory: https://www.sqlite.org/releaselog/3_32_0.html

Restart Required: Yes

Instructions:

1. Update SQLite to version 3.32.0 or later. 2. For embedded applications, update the SQLite library. 3. Restart applications/services using SQLite. 4. For OS distributions, apply security updates from your vendor.

🔧 Temporary Workarounds

Input Validation

all

Validate and sanitize all SQL input to prevent malicious ALTER TABLE queries with compound SELECT statements.

SQLite Compile-Time Options

linux

Compile SQLite with security hardening options like SQLITE_DEFAULT_MEMSTATUS=0 and SQLITE_MAX_ATTACHED=0.

./configure CFLAGS="-DSQLITE_DEFAULT_MEMSTATUS=0 -DSQLITE_MAX_ATTACHED=0"

🧯 If You Can't Patch

  • Implement strict input validation to block ALTER TABLE queries with compound SELECT ORDER BY clauses.
  • Use application-level sandboxing or privilege separation to limit SQLite's access to system resources.

🔍 How to Verify

Check if Vulnerable:

Check SQLite version with 'sqlite3 --version' or query 'SELECT sqlite_version();' from within SQLite.

Check Version:

sqlite3 --version

Verify Fix Applied:

Confirm version is 3.32.0 or higher using the same version check methods.

📡 Detection & Monitoring

Log Indicators:

  • SQL syntax errors related to ALTER TABLE
  • Application crashes with memory corruption signatures
  • Unusual SQL query patterns with compound SELECT and ORDER BY

Network Indicators:

  • Unexpected database connection attempts
  • SQL injection attack patterns

SIEM Query:

source="application.log" AND ("ALTER TABLE" AND "ORDER BY" AND "SELECT")

📊 Metadata

CVE ID: CVE-2020-11656
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: April 9, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-11656, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)