Bug 717630

Summary:	<dev-db/phpmyadmin-{4.9.4,5.0.1}: SQL injection (CVE-2020-5504)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	jmbsvicetto, web-apps
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=714014
Whiteboard:	B4 [noglsa cve]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2020-04-15 21:47:12 UTC

CVE-2020-5504 (https://nvd.nist.gov/vuln/detail/CVE-2020-5504):
  In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the
  user accounts page. A malicious user could inject custom SQL in place of
  their own username when creating queries to this page. An attacker must have
  a valid MySQL account to access the server.

Comment 1 Larry the Git Cow gentoo-dev

2020-04-15 23:56:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d702e013bdd2e04a3f78e09c7b198d24b7e8e4ad

commit d702e013bdd2e04a3f78e09c7b198d24b7e8e4ad
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-04-15 23:55:49 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-04-15 23:56:15 +0000

    dev-db/phpmyadmin: Drop vulnerable release.
    
    Bug: https://bugs.gentoo.org/714014
    Bug: https://bugs.gentoo.org/715660
    Bug: https://bugs.gentoo.org/717630
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 dev-db/phpmyadmin/Manifest                |  1 -
 dev-db/phpmyadmin/phpmyadmin-4.9.2.ebuild | 61 -------------------------------
 2 files changed, 62 deletions(-)

Comment 2 Sam James archtester

2020-04-16 00:22:16 UTC

Thanks!