PhpMyAdmin exposure of sensitive information

Posted date 08/03/2022
Importance
3 - Medium
Affected Resources

PhpMyAdmin version 5.1.1 and before.

Description

INCIBE has coordinated the publication of a vulnerability in phpMyAdmin, with the internal code INCIBE-2022-0636, which has been discovered by Rafael Pedrero.

CVE-2022-0813 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3  has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Solution

This vulnerability has been solved by the phpMyAdmin team in the 5.1.3 version released on 11/02/2022.

Detail

PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section.

CWE-200: exposure of Sensitive Information to an Unauthorized Actor

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración

References list
.phpMyAdmin 4.9.10 and 5.1.3 are released
Etiquetas