Bug 1215551 (CVE-2023-40619)

Summary: VUL-0: CVE-2023-40619: phpPgAdmin: deserialization of untrusted data which may lead to remote code execution
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Christian Wittmer <chris>
Status: REOPENED --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, chris, meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/379518/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2023-09-21 07:00:59 UTC 
CVE-2023-40619

phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untrusted data
which may lead to remote code execution because user-controlled data is directly
passed to the PHP 'unserialize()' function in multiple places. An example is the
functionality to manage tables in 'tables.php' where the 'ma[]' POST parameter
is deserialized.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40619
https://www.cve.org/CVERecord?id=CVE-2023-40619
https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-40619
Comment 1 Christian Wittmer 2023-11-03 11:03:25 UTC 
Update is coming ... with 7.14.6
https://build.opensuse.org/request/show/1123213
and Forwarded to Factory:
https://build.opensuse.org/request/show/1123214
Comment 2 Christian Wittmer 2023-11-03 11:16:05 UTC 
and Maintenance Request:
https://build.opensuse.org/request/show/1123216
Comment 3 Christian Wittmer 2023-11-03 13:34:35 UTC 
should not have closed it.
assign back to security
Comment 4 Marcus Meissner 2024-05-19 19:11:22 UTC 
openSUSE:Backports:SLE-15-SP5:Update phpPgAdmin is still at 7.13.0
also 
openSUSE:Backports:SLE-15-SP6 phpPgAdmin same