Arbitrary File Read Vulnerability in phpMyAdmin by phpMyAdmin
CVE-2019-6799

5.9MEDIUM

Key Information:

Vendor
PHPmyadmin
Status
PHPmyadmin
Vendor
CVE Published:
26 January 2019

Summary

An issue in phpMyAdmin prior to version 4.8.5 allows attackers to exploit the 'AllowArbitraryServer' setting. When this configuration is enabled, an attacker can utilize a rogue MySQL server to read any file accessible to the web server's user. This vulnerability arises from the handling of the 'mysql.allow_local_infile' PHP setting and the oversight in processing 'options(MYSQLI_OPT_LOCAL_INFILE' calls. Therefore, sensitive information may be compromised, which emphasizes the need for careful configuration management.

References

https://www.phpmyadmin.net/security/PMASA-2019-1/
x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2019/02/msg0...
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/106736
vdb-entryx_refsource_BID

EPSS Score

70% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.