CVE-2020-10802: SQL Injection
First published: Sat Jan 18 2020(Updated: )
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/phpmyadmin/phpmyadmin | >=4.9.0<4.9.5>=5.0.0<5.0.2 | |
| phpMyAdmin phpMyAdmin | >=4.0.0<4.9.5 | |
| phpMyAdmin phpMyAdmin | >=5.0.0<5.0.2 | |
| Debian Debian Linux | =8.0 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| openSUSE Backports SLE | =15.0 | |
| openSUSE Backports SLE | =15.0-sp1 | |
| openSUSE Leap | =15.1 | |
| Suse Package Hub | ||
| SUSE Linux Enterprise | =12.0 | |
| composer/phpmyadmin/phpmyadmin | >=5.0.0<5.0.2 | 5.0.2 |
| composer/phpmyadmin/phpmyadmin | >=4.9.0<4.9.5 | 4.9.5 |
| All of | ||
| Suse Package Hub | ||
| SUSE Linux Enterprise | =12.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.phpmyadmin.net/security/PMASA-2020-3/
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html
- https://lists.debian.org/debian-lts-announce/2020/03/msg00028.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQO/
- https://nvd.nist.gov/vuln/detail/CVE-2020-10802
- https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmyadmin/phpmyadmin/CVE-2020-10802.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQO
- https://www.phpmyadmin.net/security/PMASA-2020-3
- https://github.com/advisories/GHSA-f4cr-3xmc-2wpm (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQO/
Frequently Asked Questions
What is CVE-2020-10802?
CVE-2020-10802 is a vulnerability related to SQL injection in the searching feature of phpMyAdmin.
What is the severity of CVE-2020-10802?
The severity of CVE-2020-10802 is high.
How does CVE-2020-10802 work?
CVE-2020-10802 allows an attacker to inject malicious SQL code through the search functionality of phpMyAdmin, leading to unauthorized access or manipulation of the database.
Is there any fix available for CVE-2020-10802?
Yes, phpMyAdmin has released a patch to fix CVE-2020-10802. It is recommended to upgrade to phpMyAdmin version 4.9.6 or 5.0.3 or later.
Where can I find more information about CVE-2020-10802?
You can find more information about CVE-2020-10802 on the official phpMyAdmin website: https://www.phpmyadmin.net/security/PMASA-2020-3/
- collector/friends-of-php
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-f4cr-3xmc-2wpm
- alias/CVE-2020-10802
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/remedy
- agent/description
- agent/author
- agent/references
- agent/event
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- collector/github-advisory
- agent/tags
- agent/trending
- package-manager/composer
- vendor/phpmyadmin
- canonical/phpmyadmin phpmyadmin
- version/phpmyadmin phpmyadmin/4.0.0
- version/phpmyadmin phpmyadmin/5.0.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/opensuse
- canonical/opensuse backports sle
- version/opensuse backports sle/15.0
- version/opensuse backports sle/15.0-sp1
- canonical/opensuse leap
- version/opensuse leap/15.1
- vendor/suse
- canonical/suse package hub
- canonical/suse linux enterprise
- version/suse linux enterprise/12.0