CVE-2019-6798
Published: 26 January 2019
An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature.
From the Ubuntu Security Team
It was discovered that phpMyAdmin failed to sanitize certain input. An attacker could use this vulnerability to execute an SQL injection attack via a specially crafted username.
Priority
Status
Package | Release | Status |
---|---|---|
phpmyadmin
Launchpad, Ubuntu, Debian |
bionic |
Released
(4:4.6.6-5ubuntu0.5)
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Does not exist
|
|
focal |
Not vulnerable
(4:4.9.2+dfsg1-1)
|
|
groovy |
Not vulnerable
(4:4.9.2+dfsg1-1)
|
|
hirsute |
Not vulnerable
(4:4.9.2+dfsg1-1)
|
|
impish |
Not vulnerable
(4:4.9.2+dfsg1-1)
|
|
jammy |
Not vulnerable
(4:4.9.2+dfsg1-1)
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Released
(4.8.5, 4:4.9.1+dfsg1-2)
|
|
xenial |
Released
(4:4.5.4.1-2ubuntu2.1+esm3)
Available with Ubuntu Pro |
|
Patches:
upstream: https://github.com/phpmyadmin/phpmyadmin/commit/469934cf7d3bd19a839eb78670590f7511399435 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |