Lucene search

GitHub Advisory DatabaseGHSA-XRPQ-63MP-9VCW

HistoryMay 02, 2022 - 3:22 a.m.

phpMyAdmin HTTP Response Splitting Vulnerability

2022-05-0203:22:03

CWE-20

CWE-113

GitHub Advisory Database

github.com

phpmyadmin

http response splitting

vulnerability

crlf injection

blob streaming

remote attackers

http headers

conduct attacks

parameters

software

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

7.1

Confidence

Low

EPSS

0.011

Percentile

84.6%

JSON

CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB streaming feature in phpMyAdmin before 3.1.3.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the (1) c_type and possibly (2) file_type parameters.

Affected configurations

Vulners

Node

phpmyadminphpmyadminRange<3.1.3.1

VendorProductVersionCPE
phpmyadminphpmyadmin*cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
phpmyadmin	phpmyadmin	*	cpe:2.3:a:phpmyadmin:phpmyadmin::::::::

References

lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html

phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_3_1_3/phpMyAdmin/bs_disp_as_mime_type.php?r1=12303&r2=12302&pathrev=12303

www.phpmyadmin.net/home_page/security/PMASA-2009-1.php

github.com/advisories/GHSA-xrpq-63mp-9vcw

github.com/phpmyadmin/phpmyadmin/commit/69bfbf11c7e9487dfa96293aaa797ff14bb513f0

nvd.nist.gov/vuln/detail/CVE-2009-1149

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

7.1

Confidence

Low

EPSS

0.011

Percentile

84.6%

JSON

Related for GHSA-XRPQ-63MP-9VCW