Login Sign Up

CVE-2020-13630

7.0 HIGH
Denial of Service

📋 TL;DR

CVE-2020-13630 is a use-after-free vulnerability in SQLite's FTS3 extension that can lead to memory corruption and potential code execution. It affects applications using SQLite with the FTS3 snippet feature enabled. Attackers could exploit this to crash applications or execute arbitrary code.

💻 Affected Systems

Products:
  • SQLite
  • Applications embedding SQLite (Chrome, Firefox, Android, iOS apps, etc.)
Versions: SQLite versions before 3.32.0
Operating Systems: All platforms running vulnerable SQLite versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when FTS3 extension is enabled and snippet() function is used. Many applications disable FTS3 by default.

📦 What is this software?

Cloud Backup by Netapp

View all CVEs affecting Cloud Backup →

Communications Network Charging And Control by Oracle

View all CVEs affecting Communications Network Charging And Control →

Communications Network Charging And Control by Oracle

View all CVEs affecting Communications Network Charging And Control →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fabric Operating System by Brocade

View all CVEs affecting Fabric Operating System →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Hci Compute Node Firmware by Netapp

View all CVEs affecting Hci Compute Node Firmware →

Icloud by Apple

View all CVEs affecting Icloud →

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Itunes by Apple

View all CVEs affecting Itunes →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Outside In Technology by Oracle

View all CVEs affecting Outside In Technology →

Outside In Technology by Oracle

View all CVEs affecting Outside In Technology →

Sinec Infrastructure Network Services by Siemens

View all CVEs affecting Sinec Infrastructure Network Services →

Solidfire\, Enterprise Sds \& Hci Storage Node by Netapp

View all CVEs affecting Solidfire\, Enterprise Sds \& Hci Storage Node →

Sqlite by Sqlite

View all CVEs affecting Sqlite →

Tvos by Apple

View all CVEs affecting Tvos →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Watchos by Apple

View all CVEs affecting Watchos →

Zfs Storage Appliance Kit by Oracle

View all CVEs affecting Zfs Storage Appliance Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption leading to unstable behavior.

🟢

If Mitigated

Application crash without code execution if memory protections like ASLR are effective.

🌐 Internet-Facing: MEDIUM - Requires specific SQLite usage patterns and snippet feature activation.
🏢 Internal Only: LOW - Typically requires local access or specific application integration.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires control over SQL queries using the snippet() function. Multiple proof-of-concept examples exist in disclosure references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SQLite 3.32.0 and later

Vendor Advisory: https://sqlite.org/releaselog/3_32_0.html

Restart Required: Yes

Instructions:

1. Download SQLite 3.32.0 or later from sqlite.org. 2. Replace vulnerable SQLite library. 3. Recompile applications using SQLite. 4. Restart affected services and applications.

🔧 Temporary Workarounds

Disable FTS3 Extension

all

Prevent use of vulnerable snippet() function by disabling FTS3 extension at compile time.

Compile SQLite with -DSQLITE_ENABLE_FTS3=0 or -DSQLITE_ENABLE_FTS3_PARENTHESIS=0

Application-Level Filtering

all

Block or sanitize SQL queries containing snippet() function calls.

🧯 If You Can't Patch

  • Implement strict input validation to block snippet() function calls in SQL queries
  • Deploy memory protection mechanisms (ASLR, DEP) to reduce exploit effectiveness

🔍 How to Verify

Check if Vulnerable:

Check SQLite version: sqlite3 --version. If version < 3.32.0 and FTS3 is enabled, system is vulnerable.

Check Version:

sqlite3 --version

Verify Fix Applied:

Verify SQLite version is ≥ 3.32.0 and test snippet() function with known malicious queries.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory access violations
  • SQL errors mentioning fts3EvalNextRow or snippet()

Network Indicators:

  • Unusual SQL query patterns containing snippet() function

SIEM Query:

source="application.log" AND ("segmentation fault" OR "access violation" OR "fts3EvalNextRow")

📊 Metadata

CVE ID: CVE-2020-13630
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: May 27, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13630, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)