CVE-2020-26935
Published: 10 October 2020
An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.
From the Ubuntu Security Team
It was discovered that phpMyAdmin did not properly handler certain SQL statements in the search feature. An attacker could use this vulnerability to inject malicious SQL into a query.
Priority
Status
Package | Release | Status |
---|---|---|
phpmyadmin
Launchpad, Ubuntu, Debian |
bionic |
Released
(4:4.6.6-5ubuntu0.5)
|
focal |
Released
(4:4.9.5+dfsg1-2ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
groovy |
Not vulnerable
(4:4.9.7+dfsg1-1)
|
|
hirsute |
Not vulnerable
(4:4.9.7+dfsg1-1)
|
|
impish |
Not vulnerable
(4:4.9.7+dfsg1-1)
|
|
jammy |
Not vulnerable
(4:4.9.7+dfsg1-1)
|
|
kinetic |
Not vulnerable
(4:4.9.7+dfsg1-1)
|
|
lunar |
Not vulnerable
(4:4.9.7+dfsg1-1)
|
|
mantic |
Not vulnerable
(4:4.9.7+dfsg1-1)
|
|
noble |
Not vulnerable
(4:4.9.7+dfsg1-1)
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(code not present)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://www.phpmyadmin.net/security/PMASA-2020-6/
- https://github.com/phpmyadmin/phpmyadmin/commit/d09ab9bc9d634ad08b866d42bb8c4109869d38d2
- https://ubuntu.com/security/notices/USN-4639-1
- https://ubuntu.com/security/notices/USN-4843-1
- https://www.cve.org/CVERecord?id=CVE-2020-26935
- NVD
- Launchpad
- Debian