CVE-2019-6799

NameCVE-2019-6799
DescriptionAn issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of "options(MYSQLI_OPT_LOCAL_INFILE" calls.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1692-1
Debian Bugs920823

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpmyadmin (PTS)bullseye4:5.0.4+dfsg2-2+deb11u1fixed
bookworm4:5.2.1+dfsg-1fixed
sid, trixie4:5.2.1+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpmyadminsourcejessie4:4.2.12-2+deb8u5DLA-1692-1
phpmyadminsourcestretch4:4.6.6-4+deb9u1
phpmyadminsource(unstable)4:4.9.1+dfsg1-2920823

Notes

https://www.phpmyadmin.net/security/PMASA-2019-1/
https://github.com/phpmyadmin/phpmyadmin/commit/aeac90623e525057a7672ab3d98154b5c57c15ec
https://github.com/phpmyadmin/phpmyadmin/commit/c5e01f84ad48c5c626001cb92d7a95500920a900

Search for package or bug name: Reporting problems