Fluid Attacks Database

Description

phpMyAdmin SQL injection vulnerability In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	phpmyadmin/phpmyadmin	>=4.9.0 <4.9.5 \|\| >=5.0.0 <5.0.2	4.9.5, 5.0.2
debian 11	phpmyadmin	>=0 <4:4.9.5+dfsg1-1	4:4.9.5+dfsg1-1
debian 12	phpmyadmin	>=0 <4:4.9.5+dfsg1-1	4:4.9.5+dfsg1-1
debian 13	phpmyadmin	>=0 <4:4.9.5+dfsg1-1	4:4.9.5+dfsg1-1

Aliases

1. CVE-2020-108022. NVD-2020-108023. OSV-2020-108024. OSV-DEBIAN-2020-108025. GCVE-2020-108026. lists.debian.org7. SECURITY-TRACKER-CVE-2020-10802

References

1. https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmyadmin/phpmyadmin/CVE-2020-10802.yaml2. https://lists.fedoraproject.org/archives/list/[email protected]/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ3. https://lists.fedoraproject.org/archives/list/[email protected]/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK4. https://lists.fedoraproject.org/archives/list/[email protected]/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQO5. https://www.phpmyadmin.net/security/PMASA-2020-36. http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.html7. http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00050.html8. http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html