Bug 1167336 - (CVE-2020-10802) VUL-0: CVE-2020-10802: phpMyAdmin: SQL injection relating to searching (PMASA-2020-3)
(CVE-2020-10802)
VUL-0: CVE-2020-10802: phpMyAdmin: SQL injection relating to searching (PMASA...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/255565/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-03-22 12:57 UTC by Andreas Stieger
Modified: 2020-11-01 17:17 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2020-03-22 12:57:21 UTC
An SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions within phpMyAdmin.

An attacker can generate specially-crafted database or table names. The attack can be performed if a user attempts certain search operations on the malicious database or table.


Fixed for phpMyAdmin 4.9.x in 4.9.5
Fixed for phpMyAdmin 5.0.x in 5.0.2

References:
https://www.phpmyadmin.net/security/PMASA-2020-3/
https://github.com/phpmyadmin/phpmyadmin/commit/a8acd7a42cf743186528b0453f90aaa32bfefabe
Comment 1 Swamp Workflow Management 2020-03-23 22:40:09 UTC
This is an autogenerated message for OBS integration:
This bug (1167336) was mentioned in
https://build.opensuse.org/request/show/787596 15.1+Backports:SLE-12 / phpMyAdmin
Comment 2 Swamp Workflow Management 2020-03-29 22:17:12 UTC
openSUSE-SU-2020:0405-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1167335,1167336,1167337
CVE References: CVE-2020-10802,CVE-2020-10803,CVE-2020-10804
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    phpMyAdmin-4.9.5-43.1
Comment 3 Swamp Workflow Management 2020-03-29 22:19:18 UTC
openSUSE-SU-2020:0405-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1167335,1167336,1167337
CVE References: CVE-2020-10802,CVE-2020-10803,CVE-2020-10804
Sources used:
openSUSE Leap 15.1 (src):    phpMyAdmin-4.9.5-lp151.2.15.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    phpMyAdmin-4.9.5-43.1
Comment 4 Andreas Stieger 2020-03-30 08:19:06 UTC
done
Comment 5 Swamp Workflow Management 2020-03-31 16:15:13 UTC
openSUSE-SU-2020:0427-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1167335,1167336,1167337
CVE References: CVE-2020-10802,CVE-2020-10803,CVE-2020-10804
Sources used:
openSUSE Backports SLE-15-SP1 (src):    phpMyAdmin-4.9.5-bp151.3.15.1
Comment 6 OBSbugzilla Bot 2020-10-21 17:30:18 UTC
This is an autogenerated message for OBS integration:
This bug (1167336) was mentioned in
https://build.opensuse.org/request/show/843257 15.1+Backports:SLE-12+Backports:SLE-15+Backports:SLE-15-SP1 / phpMyAdmin
Comment 7 Swamp Workflow Management 2020-11-01 17:15:40 UTC
openSUSE-SU-2020:1806-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1167335,1167336,1167337,1177561,1177562,1177842
CVE References: CVE-2020-10802,CVE-2020-10803,CVE-2020-10804,CVE-2020-26934,CVE-2020-26935
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    phpMyAdmin-4.9.7-lp151.2.24.1
openSUSE Backports SLE-15-SP1 (src):    phpMyAdmin-4.9.7-bp151.3.24.1
openSUSE Backports SLE-15 (src):    phpMyAdmin-4.9.7-bp150.43.1
Comment 8 Swamp Workflow Management 2020-11-01 17:17:08 UTC
openSUSE-SU-2020:1806-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1167335,1167336,1167337,1177561,1177562,1177842
CVE References: CVE-2020-10802,CVE-2020-10803,CVE-2020-10804,CVE-2020-26934,CVE-2020-26935
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    phpMyAdmin-4.9.7-lp151.2.24.1
openSUSE Backports SLE-15-SP1 (src):    phpMyAdmin-4.9.7-bp151.3.24.1
openSUSE Backports SLE-15 (src):    phpMyAdmin-4.9.7-bp150.43.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    phpMyAdmin-4.9.7-52.1