Bug 1160456 - VUL-0: CVE-2020-5504: phpMyAdmin: SQL injection in user accounts page
VUL-0: CVE-2020-5504: phpMyAdmin: SQL injection in user accounts page
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-01-08 14:41 UTC by Christian Wittmer
Modified: 2020-03-24 10:48 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Wittmer 2020-01-08 14:41:47 UTC
CVE-2020-5504

A SQL injection flaw has been discovered in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.

Affected Versions
phpMyAdmin 4.x versions prior to 4.9.4 are affected, at least as old as 4.0.0. phpMyAdmin 5.x version 5.0.0 is affected.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5504
https://www.phpmyadmin.net/security/PMASA-2020-1/
Comment 1 Christian Wittmer 2020-01-08 14:50:32 UTC
... ongoing work
Comment 2 Swamp Workflow Management 2020-01-08 15:50:05 UTC
This is an autogenerated message for OBS integration:
This bug (1160456) was mentioned in
https://build.opensuse.org/request/show/761881 Factory / phpMyAdmin
https://build.opensuse.org/request/show/761885 15.1+Backports:SLE-12+Backports:SLE-15+Backports:SLE-15-SP1 / phpMyAdmin
Comment 3 Swamp Workflow Management 2020-01-14 20:17:17 UTC
openSUSE-SU-2020:0056-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1150914,1157614,1160456
CVE References: CVE-2019-12922,CVE-2019-18622,CVE-2020-5504
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    phpMyAdmin-4.9.4-40.1
Comment 4 Andreas Stieger 2020-03-24 10:48:49 UTC
fixed