CVE-2020-10804: SQL Injection
First published: Wed Mar 18 2020(Updated: )
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges).
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/phpmyadmin/phpmyadmin | >=4.9.0<4.9.5>=5.0.0<5.0.2 | |
| phpMyAdmin phpMyAdmin | >=4.0.0<4.9.5 | |
| phpMyAdmin phpMyAdmin | >=5.0.0<5.0.2 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| openSUSE Backports SLE | =15.0 | |
| openSUSE Backports SLE | =15.0-sp1 | |
| openSUSE Leap | =15.1 | |
| Suse Package Hub | ||
| SUSE Linux Enterprise | =12.0 | |
| composer/phpmyadmin/phpmyadmin | >=5.0.0<5.0.2 | 5.0.2 |
| composer/phpmyadmin/phpmyadmin | >=4.9.0<4.9.5 | 4.9.5 |
| All of | ||
| Suse Package Hub | ||
| SUSE Linux Enterprise | =12.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.phpmyadmin.net/security/PMASA-2020-2/
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQO/
- https://nvd.nist.gov/vuln/detail/CVE-2020-10804
- https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmyadmin/phpmyadmin/CVE-2020-10804.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQO
- https://www.phpmyadmin.net/security/PMASA-2020-2
- https://github.com/advisories/GHSA-h65r-8fp8-w7cx (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAVW3SUKWR5RF5LZ6SARCYOWBIFUIWOJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUG3IRITW2LUBGR5LSQMP7MVRTELHZJK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZI6EQVRRIG252DY3MBT33BJVCSYDMQO/
Frequently Asked Questions
What is the vulnerability ID for this SQL injection?
The vulnerability ID for this SQL injection is CVE-2020-10804.
What is the severity of CVE-2020-10804?
The severity of CVE-2020-10804 is dependent on the specific use case and configuration, but SQL injections can have a high impact if exploited.
How does the SQL injection vulnerability in phpMyAdmin impact usernames?
The SQL injection vulnerability in phpMyAdmin allows an attacker to manipulate the processing of usernames, potentially gaining unauthorized access or causing data breaches.
What versions of phpMyAdmin are affected by this SQL injection vulnerability?
Versions 4.9.0 to 4.9.5 and 5.0.0 to 5.0.2 of phpMyAdmin are affected by this SQL injection vulnerability.
How can I fix the SQL injection vulnerability in phpMyAdmin?
To fix the SQL injection vulnerability, it is recommended to update phpMyAdmin to a version that includes the security patch provided by the vendor.
- collector/friends-of-php
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-h65r-8fp8-w7cx
- alias/CVE-2020-10804
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/description
- agent/author
- agent/references
- agent/tags
- agent/event
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- collector/github-advisory
- package-manager/composer
- vendor/phpmyadmin
- canonical/phpmyadmin phpmyadmin
- version/phpmyadmin phpmyadmin/4.0.0
- version/phpmyadmin phpmyadmin/5.0.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/opensuse
- canonical/opensuse backports sle
- version/opensuse backports sle/15.0
- version/opensuse backports sle/15.0-sp1
- canonical/opensuse leap
- version/opensuse leap/15.1
- vendor/suse
- canonical/suse package hub
- canonical/suse linux enterprise
- version/suse linux enterprise/12.0