CVE-2020-5504
Published: 9 January 2020
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.
From the Ubuntu Security Team
It was discovered that phpMyAdmin failed to sanitize certain input. An attacker could use this vulnerability to execute an SQL injection attack via a specially crafted username.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
phpmyadmin Launchpad, Ubuntu, Debian |
bionic |
Released
(4:4.6.6-5ubuntu0.5)
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Does not exist
|
|
| focal |
Not vulnerable
(4:4.9.5+dfsg1-2)
|
|
| groovy |
Ignored
(end of life)
|
|
| hirsute |
Not vulnerable
(4:4.9.7+dfsg1-1)
|
|
| impish |
Not vulnerable
(4:5.0.4+dfsg2-2)
|
|
| jammy |
Needed
|
|
| kinetic |
Ignored
(end of life, was needed)
|
|
| lunar |
Ignored
(end of life, was needed)
|
|
| mantic |
Needed
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Released
(4:4.2.12-2+deb8u8)
|
|
| xenial |
Released
(4:4.5.4.1-2ubuntu2.1+esm6)
Available with Ubuntu Pro |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
- https://github.com/phpmyadmin/phpmyadmin/commit/c86acbf3ed49f69cf38b31879886dd5eb86b6983
- https://gist.github.com/ibennetch/4c1b701f4b766e4dd5556e8e26200b6b
- https://www.phpmyadmin.net/security/PMASA-2020-1/
- https://ubuntu.com/security/notices/USN-4639-1
- https://ubuntu.com/security/notices/USN-4843-1
- https://www.cve.org/CVERecord?id=CVE-2020-5504
- NVD
- Launchpad
- Debian