PublicDateAtUSN: 2018-12-11 17:29:00 UTC
Candidate: CVE-2018-19968
PublicDate: 2018-12-11 17:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19968
 https://www.phpmyadmin.net/security/PMASA-2018-6/
 https://github.com/phpmyadmin/phpmyadmin/commit/6a1ba61e29002f0305a9322a8af4eaaeb11c0732
 https://ubuntu.com/security/notices/USN-4639-1
Description:
 An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a
 local file because of an error in the transformation feature. The attacker
 must have access to the phpMyAdmin Configuration Storage tables, although
 these can easily be created in any database to which the attacker has
 access. An attacker must have valid credentials to log in to phpMyAdmin;
 this vulnerability does not allow an attacker to circumvent the login
 system.
Ubuntu-Description:
 It was discovered that there was a bug in the way phpMyAdmin handles the
 phpMyAdmin Configuration Storage tables. An authenticated attacker could use
 this vulnerability to cause phpmyAdmin to leak sensitive files.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [6.5 MEDIUM]


Patches_phpmyadmin:
upstream_phpmyadmin: released (4.8.4, 4:4.9.1+dfsg1-2)
precise/esm_phpmyadmin: DNE
trusty_phpmyadmin: ignored (out of standard support)
trusty/esm_phpmyadmin: needed
xenial_phpmyadmin: ignored (end of standard support, was needed)
bionic_phpmyadmin: released (4:4.6.6-5ubuntu0.5)
cosmic_phpmyadmin: ignored (reached end-of-life)
disco_phpmyadmin: ignored (reached end-of-life)
eoan_phpmyadmin: DNE
focal_phpmyadmin: not-affected (4:4.9.2+dfsg1-1)
groovy_phpmyadmin: not-affected (4:4.9.2+dfsg1-1)
hirsute_phpmyadmin: not-affected (4:4.9.2+dfsg1-1)
impish_phpmyadmin: not-affected (4:4.9.2+dfsg1-1)
jammy_phpmyadmin: not-affected (4:4.9.2+dfsg1-1)
devel_phpmyadmin: not-affected (4:4.9.2+dfsg1-1)