Main Vulnerability Database SB2019012931

SB2019012931 - Fedora 29 update for phpMyAdmin

Published: January 29, 2019 Updated: April 24, 2025

Security Bulletin ID SB2019012931

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) SQL injection (CVE-ID: CVE-2019-6798)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing a specially crafted username within the designer feature. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

2) Information disclosure (CVE-ID: CVE-2019-6799)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to mysql.allow_local_infile is enabled by default when using the 'mysql' extension. A remote attacker can use a rogue MySQL server when AllowArbitraryServer configuration set to true to read any file on the server that the web server's user can access.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2019-09ae31d880