Bug 1215551 (CVE-2023-40619) - VUL-0: CVE-2023-40619: phpPgAdmin: deserialization of untrusted data which may lead to remote code execution
Summary: VUL-0: CVE-2023-40619: phpPgAdmin: deserialization of untrusted data which ma...
Status: REOPENED
Alias: CVE-2023-40619
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Christian Wittmer
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/379518/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-21 07:00 UTC by Alexander Bergmann
Modified: 2024-05-19 19:11 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2023-09-21 07:00:59 UTC 
CVE-2023-40619

phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untrusted data
which may lead to remote code execution because user-controlled data is directly
passed to the PHP 'unserialize()' function in multiple places. An example is the
functionality to manage tables in 'tables.php' where the 'ma[]' POST parameter
is deserialized.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40619
https://www.cve.org/CVERecord?id=CVE-2023-40619
https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-40619
Comment 1 Christian Wittmer 2023-11-03 11:03:25 UTC 
Update is coming ... with 7.14.6
https://build.opensuse.org/request/show/1123213
and Forwarded to Factory:
https://build.opensuse.org/request/show/1123214
Comment 2 Christian Wittmer 2023-11-03 11:16:05 UTC 
and Maintenance Request:
https://build.opensuse.org/request/show/1123216
Comment 3 Christian Wittmer 2023-11-03 13:34:35 UTC 
should not have closed it.
assign back to security
Comment 4 Marcus Meissner 2024-05-19 19:11:22 UTC 
openSUSE:Backports:SLE-15-SP5:Update phpPgAdmin is still at 7.13.0
also 
openSUSE:Backports:SLE-15-SP6 phpPgAdmin same