SQL injection in phpmyadmin (Alpine package)



Published: 2020-03-22
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-10802
CWE-ID CWE-89
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		phpmyadmin (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) SQL injection

EUVDB-ID: #VU26289

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10802

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of database and table names during search operations. A remote user can send a specially crafted database or table, trick the victim into searching that table and execute arbitrary SQL commands in database.

Mitigation

Install update from vendor's website.

Vulnerable software versions

phpmyadmin (Alpine package): 4.9.0.1-r0 - 5.0.1-r0

External links

http://git.alpinelinux.org/aports/commit/?id=d1ca28236a0ac918327d8820c62f999334ae5425
http://git.alpinelinux.org/aports/commit/?id=6968b89f72fd65cf6c2f9599cae37f8a0cb04f79


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###