Lucene search

K
ubuntucveUbuntu.comUB:CVE-2021-0646
HistoryAug 17, 2021 - 12:00 a.m.

CVE-2021-0646

2021-08-1700:00:00
ubuntu.com
ubuntu.com
22
sqlite3
out of bounds write
local privilege escalation
android
input validation
printf injection
execution privileges

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

47.7%

In sqlite3_str_vappendf of sqlite3.c, there is a possible out of bounds
write due to improper input validation. This could lead to local escalation
of privilege if the user can also inject a printf into a privileged
process’s SQL with no additional execution privileges needed. User
interaction is not needed for exploitation.Product: AndroidVersions:
Android-9 Android-10 Android-11 Android-8.1Android ID: A-153352319

Notes

Author Note
mdeslaur this is an android-specific CVE which corresponds to CVE-2020-13434 in sqlite3

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

47.7%