CVE-2018-19968
Publication date 11 December 2018
Last updated 24 July 2024
Ubuntu priority
An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system.
From the Ubuntu Security Team
It was discovered that there was a bug in the way phpMyAdmin handles the phpMyAdmin Configuration Storage tables. An authenticated attacker could use this vulnerability to cause phpmyAdmin to leak sensitive files.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| phpmyadmin | 22.04 LTS jammy |
Not affected
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Fixed 4:4.6.6-5ubuntu0.5
|
|
| 16.04 LTS xenial |
Fixed 4:4.5.4.1-2ubuntu2.1+esm6
|
|
| 14.04 LTS trusty |
Fixed 4:4.0.10-1ubuntu0.1+esm4
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-4639-1
- phpMyAdmin vulnerabilities
- 19 November 2020
- USN-4843-1
- phpMyAdmin vulnerabilities
- 16 March 2021