Lucene search

GitHub Advisory DatabaseGHSA-7FF4-CV53-4CJQ

HistoryMay 24, 2022 - 5:30 p.m.

phpMyAdmin SQL injection vulnerability

2022-05-2417:30:27

CWE-89

GitHub Advisory Database

github.com

phpmyadmin

sql injection

searchcontroller

vulnerability

software

malicious sql

query

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.9

Confidence

Low

EPSS

0.008

Percentile

82.2%

JSON

An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.

Affected configurations

Vulners

Node

phpmyadminphpmyadminRange5.0.0–5.0.3

phpmyadminphpmyadminRange4.9.0–4.9.6

VendorProductVersionCPE
phpmyadminphpmyadmin*cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
phpmyadmin	phpmyadmin	*	cpe:2.3:a:phpmyadmin:phpmyadmin::::::::

References

lists.opensuse.org/opensuse-security-announce/2020-10/msg00027.html

lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html

advisory.checkmarx.net/advisory/CX-2020-4281

github.com/advisories/GHSA-7ff4-cv53-4cjq

github.com/FriendsOfPHP/security-advisories/blob/master/phpmyadmin/phpmyadmin/CVE-2020-26935.yaml

lists.debian.org/debian-lts-announce/2020/10/msg00024.html

lists.fedoraproject.org/archives/list/[email protected]/message/FHST4E5IJG7IKZTTW3R6MEZPVHJZ472K

lists.fedoraproject.org/archives/list/[email protected]/message/PXK37YEHSDYCIPQSYEMN2OFTP2ZLM7DO

lists.fedoraproject.org/archives/list/[email protected]/message/TNLGHVDNAEZEGRTUESSSQFM7MZTHIDQ5

nvd.nist.gov/vuln/detail/CVE-2020-26935

security.gentoo.org/glsa/202101-35

www.phpmyadmin.net/security/PMASA-2020-6

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.9

Confidence

Low

EPSS

0.008

Percentile

82.2%

JSON

Related for GHSA-7FF4-CV53-4CJQ