CVE-2021-36690

** DISPUTED ** A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.

CVSS v3.0 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://www.sqlite.org/forum/forumpost/718c0a8d17	Exploit Patch Vendor Advisory
https://support.apple.com/kb/HT213488	Third Party Advisory
https://support.apple.com/kb/HT213446	Third Party Advisory
https://support.apple.com/kb/HT213486	Third Party Advisory
https://support.apple.com/kb/HT213487	Third Party Advisory
http://seclists.org/fulldisclosure/2022/Oct/41	Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2022/Oct/28	Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2022/Oct/39	Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2022/Oct/47	Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2022/Oct/49	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sqlite:sqlite:3.36.0:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

Configuration 3 (hide)

OR	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:watchos::::::::
	cpe:2.3:o:apple:tvos::::::::

Information

Published : 2021-08-24 07:15

Updated : 2023-03-03 07:21

NVD link : CVE-2021-36690

Mitre link : CVE-2021-36690

JSON object : View

CWE

NVD-CWE-noinfo

Products Affected

apple

tvos
macos
watchos
iphone_os

oracle

zfs_storage_appliance_kit

sqlite

sqlite

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://www.sqlite.org/forum/forumpost/718c0a8d17", "name": "https://www.sqlite.org/forum/forumpost/718c0a8d17", "tags": ["Exploit", "Patch", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://support.apple.com/kb/HT213488", "name": "https://support.apple.com/kb/HT213488", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://support.apple.com/kb/HT213446", "name": "https://support.apple.com/kb/HT213446", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://support.apple.com/kb/HT213486", "name": "https://support.apple.com/kb/HT213486", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://support.apple.com/kb/HT213487", "name": "https://support.apple.com/kb/HT213487", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "http://seclists.org/fulldisclosure/2022/Oct/41", "name": "20221030 APPLE-SA-2022-10-27-5 Additional information for APPLE-SA-2022-10-24-2 macOS Ventura 13", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FULLDISC"}, {"url": "http://seclists.org/fulldisclosure/2022/Oct/28", "name": "20221030 APPLE-SA-2022-10-24-2 macOS Ventura 13", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FULLDISC"}, {"url": "http://seclists.org/fulldisclosure/2022/Oct/39", "name": "20221030 APPLE-SA-2022-10-27-3 Additional information for APPLE-SA-2022-09-12-1 iOS 16", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FULLDISC"}, {"url": "http://seclists.org/fulldisclosure/2022/Oct/47", "name": "20221030 APPLE-SA-2022-10-27-11 tvOS 16", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FULLDISC"}, {"url": "http://seclists.org/fulldisclosure/2022/Oct/49", "name": "20221030 APPLE-SA-2022-10-27-13 watchOS 9", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FULLDISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "** DISPUTED ** A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-36690", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}}, "publishedDate": "2021-08-24T14:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:sqlite:sqlite:3.36.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "16.0"}, {"cpe23Uri": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "13.0"}, {"cpe23Uri": "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "9.0"}, {"cpe23Uri": "cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "16.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-03-03T15:21Z"}

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2021-36690

7.5^/10

5.0^/10

Attach tags to `CVE-2021-36690`