Main Vulnerability Database SB2016101809

SB2016101809 - OS Command Injection in phpmyadmin (Alpine package)

Published: October 18, 2016

Security Bulletin ID SB2016101809

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) OS Command Injection (CVE-ID: CVE-2016-6631)

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation. A user can execute a remote code execution attack against a server when phpMyAdmin is being run as a CGI application. Under certain server configurations, a user can pass a query string which is executed as a command-line argument by the file generator_plugin.sh.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=e3226bf79b872494874e7f139d2c88c069c4d60f
https://git.alpinelinux.org/aports/commit/?id=abae6704b5ad5fa0ac123378e37f2b81d2585ff0