Bug 1137497 (CVE-2019-12616)

Summary: VUL-0: CVE-2019-12616: phpmyadmin: broken tag provided by attacker and pointing at the victim's phpMyAdmin database can cause CSRF
Product: [openSUSE] openSUSE Distribution Reporter: Robert Frohl <rfrohl>
Component: SecurityAssignee: Christian Wittmer <chris>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: lang
Version: Leap 42.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/234301/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2019-06-06 12:17:10 UTC 
rh#1717402

A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken 'img' tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.

Upstream advisory:

https://www.phpmyadmin.net/security/PMASA-2019-4/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1717402
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12616
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12616
https://www.phpmyadmin.net/security/PMASA-2019-4/
https://www.phpmyadmin.net/security/
Comment 1 Christian Wittmer 2019-06-30 13:29:32 UTC 
ongoing work
Comment 2 Swamp Workflow Management 2019-06-30 14:00:45 UTC 
This is an autogenerated message for OBS integration:
This bug (1137497) was mentioned in
https://build.opensuse.org/request/show/712645 15.0+15.1+42.3+Backports:SLE-12+Backports:SLE-15 / phpMyAdmin
Comment 3 Swamp Workflow Management 2019-07-02 10:13:34 UTC 
openSUSE-SU-2019:1689-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1137496,1137497
CVE References: CVE-2019-11768,CVE-2019-12616
Sources used:
openSUSE Leap 42.3 (src):    phpMyAdmin-4.9.0.1-31.1
openSUSE Leap 15.1 (src):    phpMyAdmin-4.9.0.1-lp151.2.3.1
openSUSE Leap 15.0 (src):    phpMyAdmin-4.9.0.1-lp150.31.1
openSUSE Backports SLE-15 (src):    phpMyAdmin-4.9.0.1-bp150.31.1
Comment 4 Swamp Workflow Management 2019-07-02 10:15:13 UTC 
openSUSE-SU-2019:1689-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1137496,1137497
CVE References: CVE-2019-11768,CVE-2019-12616
Sources used:
openSUSE Leap 42.3 (src):    phpMyAdmin-4.9.0.1-31.1
openSUSE Leap 15.1 (src):    phpMyAdmin-4.9.0.1-lp151.2.3.1
openSUSE Leap 15.0 (src):    phpMyAdmin-4.9.0.1-lp150.31.1
openSUSE Backports SLE-15 (src):    phpMyAdmin-4.9.0.1-bp150.31.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    phpMyAdmin-4.9.0.1-31.1
Comment 5 Tomáš Chvátal 2019-07-11 11:42:40 UTC 
This is automated batch bugzilla cleanup.

The openSUSE 42.3 changed to end-of-life (EOL [1]) status. As such
it is no longer maintained, which means that it will not receive any
further security or bug fix updates.
As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
openSUSE (At this moment openSUSE Leap 15.1, 15.0 and Tumbleweed) please
feel free to reopen this bug against that version (!you must update the
"Version" component in the bug fields, do not just reopen please), or
alternatively create a new ticket.

Thank you for reporting this bug and we are sorry it could not be fixed
during the lifetime of the release.

[1] https://en.opensuse.org/Lifetime
Comment 6 Marcus Meissner 2019-07-12 06:45:05 UTC 
was fixed
Comment 7 Swamp Workflow Management 2019-08-14 07:10:46 UTC 
openSUSE-SU-2019:1861-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1137496,1137497
CVE References: CVE-2019-11768,CVE-2019-12616
Sources used:
openSUSE Backports SLE-15-SP1 (src):    phpMyAdmin-4.9.0.1-bp151.3.3.1