PublicDateAtUSN: 2019-01-26 17:29:00 UTC Candidate: CVE-2019-6799 PublicDate: 2019-01-26 17:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6799 https://www.phpmyadmin.net/security/PMASA-2019-1/ https://github.com/phpmyadmin/phpmyadmin/commit/aeac90623e525057a7672ab3d98154b5c57c15ec https://github.com/phpmyadmin/phpmyadmin/commit/c5e01f84ad48c5c626001cb92d7a95500920a900 https://ubuntu.com/security/notices/USN-4639-1 Description: An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of "options(MYSQLI_OPT_LOCAL_INFILE" calls. Ubuntu-Description: It was discovered that phpMyAdmin would allow sensitive files to be leaked if certain configuration options were set. An attacker could use this vulnerability to access confidential information. Notes: Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920823 Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM] Patches_phpmyadmin: upstream: https://github.com/phpmyadmin/phpmyadmin/commit/aeac90623e525057a7672ab3d98154b5c57c15ec upstream: https://github.com/phpmyadmin/phpmyadmin/commit/c5e01f84ad48c5c626001cb92d7a95500920a900 upstream_phpmyadmin: released (4.8.5, 4:4.9.1+dfsg1-2) precise/esm_phpmyadmin: DNE trusty_phpmyadmin: ignored (out of standard support) trusty/esm_phpmyadmin: needed xenial_phpmyadmin: ignored (end of standard support, was needed) bionic_phpmyadmin: released (4:4.6.6-5ubuntu0.5) cosmic_phpmyadmin: ignored (reached end-of-life) disco_phpmyadmin: ignored (reached end-of-life) eoan_phpmyadmin: DNE focal_phpmyadmin: not-affected (4:4.9.2+dfsg1-1) groovy_phpmyadmin: not-affected (4:4.9.2+dfsg1-1) hirsute_phpmyadmin: not-affected (4:4.9.2+dfsg1-1) impish_phpmyadmin: not-affected (4:4.9.2+dfsg1-1) jammy_phpmyadmin: not-affected (4:4.9.2+dfsg1-1) devel_phpmyadmin: not-affected (4:4.9.2+dfsg1-1)