Lucene search

K
phpmyadminPhpMyAdminPHPMYADMIN:PMASA-2010-3
HistoryJan 15, 2010 - 12:00 a.m.

Unsafe usage of unserialize function.

2010-01-1500:00:00
www.phpmyadmin.net
28

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS

0.008

Percentile

81.4%

PMASA-2010-3

Announcement-ID: PMASA-2010-3

Date: 2010-01-15

Updated: 2010-01-27

Summary

Unsafe usage of unserialize function.

Description

phpMyAdmin used the unserialize() PHP function on potentially unsafe data in setup script, what could be potentially used for XSRF attack, which can lead to code execution.

Severity

We consider these vulnerabilities to be critical.

Affected Versions

For 2.11.x: versions before 2.11.10 are affected.

Unaffected Versions

3.x releases are not affected.

Solution

Upgrade to phpMyAdmin 3.0.0 or 2.11.10.

References

We wish to thank to Thomas Biege and Sebastian Krahmer for pointing out this issue.

Assigned CVE ids: CVE-2009-4605

CWE ids: CWE-661 CWE-352

Patches

The following commits have been made on the 2.11 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS

0.008

Percentile

81.4%