1074066 – (CVE-2017-1000499) VUL-0: CVE-2017-1000499: phpMyAdmin: XSRF/CSRF vulnerability (PMASA-2017-9)

Bug 1074066 (CVE-2017-1000499) - VUL-0: CVE-2017-1000499: phpMyAdmin: XSRF/CSRF vulnerability (PMASA-2017-9)

Summary: VUL-0: CVE-2017-1000499: phpMyAdmin: XSRF/CSRF vulnerability (PMASA-2017-9)

Status:	RESOLVED FIXED
Duplicates (1):	1075319 (view as bug list)

Alias:	CVE-2017-1000499

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 42.3
Hardware:	Other openSUSE 42.3

Priority:	P3 - Medium Severity: Major (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2017-12-25 13:01 UTC by Andreas Stieger
Modified:	2018-01-10 09:05 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2017-12-25 13:01:33 UTC

From https://www.phpmyadmin.net/security/PMASA-2017-9/
Announcement-ID: PMASA-2017-9
Date: 2017-12-20
Summary: XSRF/CSRF vulnerability in phpMyAdmin

By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.

Affected Versions: Versions 4.7.x (prior to 4.7.7) are affected.

Solution: Upgrade to phpMyAdmin 4.7.7 or newer or apply patch listed below.
References

Reporter: Ashutosh Barot
CWE ids: CWE-661 CWE-352

Patches:
4.7: https://github.com/phpmyadmin/phpmyadmin/commit/edd929216ade9f7c150a262ba3db44db0fed0e1b
4.8: https://github.com/phpmyadmin/phpmyadmin/commit/72f109a99c82b14c07dcb19946ba9b76efc32a1b

openSUSE:Backports:SLE-12/phpMyAdmin 4.7.5 affected
openSUSE:Leap:42.2:Update/phpMyAdmin 4.7.5 affected
openSUSE:Leap:42.3:Update/phpMyAdmin 4.7.5 affected

Comment 1 Swamp Workflow Management 2017-12-25 20:00:06 UTC

This is an autogenerated message for OBS integration:
This bug (1074066) was mentioned in
https://build.opensuse.org/request/show/559879 42.2+42.3+Backports:SLE-12 / phpMyAdmin

Comment 2 Andreas Stieger 2017-12-29 16:35:12 UTC

done

Comment 3 Swamp Workflow Management 2017-12-29 20:09:23 UTC

openSUSE-SU-2017:3448-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1074066
CVE References: 
Sources used:
openSUSE Leap 42.3 (src):    phpMyAdmin-4.7.7-6.1
openSUSE Leap 42.2 (src):    phpMyAdmin-4.7.7-33.12.1

Comment 4 Swamp Workflow Management 2017-12-29 20:10:22 UTC

openSUSE-SU-2017:3451-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1074066
CVE References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    phpMyAdmin-4.7.7-14.1

Comment 5 Andreas Stieger 2018-01-10 09:04:46 UTC

*** Bug 1075319 has been marked as a duplicate of this bug. ***

Comment 6 Andreas Stieger 2018-01-10 09:05:48 UTC

This is CVE-2017-1000499