CVE-2021-20227: 
SQLite vulnerability analysis and mitigation

A flaw was found in SQLite's SELECT query functionality (src/select.c) identified as CVE-2021-20227. The vulnerability was discovered in December 2020 and fixed in SQLite version 3.34.1 released on January 20, 2021. This vulnerability affects SQLite database installations prior to version 3.34.1 (SQLite Release, Red Hat CVE).

The vulnerability occurs when processing a subquery with both a correlated WHERE clause and a 'HAVING 0' clause where the parent query is an aggregate. The issue arises when the WHERE clause uses an aggregate column from the outer query. If the HAVING term (0) is moved into the WHERE clause, SQLite would optimize (a=2 AND 0) to simply (0), which is logically correct but caused problems in aggregate processing for the outer query, potentially leading to a use-after-free condition (Red Hat CVE). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Ubuntu CVE).

A successful exploitation of this vulnerability could allow an attacker who has permission to run SQL queries on the SQLite database to cause a denial of service condition, or possibly achieve code execution if they are able to control the re-used memory. The highest threat from this vulnerability is to system availability (Red Hat CVE).

The primary mitigation is to upgrade to SQLite version 3.34.1 or later. The upstream patch adds the ExprAlwaysFalse(pExpr)==0 check to the if statement before the business logic in havingToWhereExprCb() in file src/select.c (Red Hat CVE). For systems that cannot be immediately updated, there are no known workarounds that meet security criteria for ease of use and deployment (Red Hat CVE).