Alpine: multiple phpmyadmin packages: security update to 4.8.3-r0 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 400580

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error
in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage
tables, although these can easily be created in any database to which the attacker has access. An attacker
must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to
circumvent the login system. (CVE-2018-19968)

- phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a
user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming
databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user
passwords, killing SQL processes, etc. (CVE-2018-19969)

- In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can
deliver a payload to a user through a crafted database/table name. (CVE-2018-19970)

See Also

https://git.alpinelinux.org/aports/commit/?id=327df2ce21328db30da75277c323014af26c0b5c

https://git.alpinelinux.org/aports/commit/?id=aad36dcf3a57ed14c9241182dbe94a7b16c2faee

Plugin Details

Severity: High

ID: 400580

Version: Revision 1.22

Type: Local

Published: 8/16/2023

Updated: 1/17/2024

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-19969

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/8/2019

Vulnerability Publication Date: 12/7/2018

Reference Information

CVE: CVE-2018-19968, CVE-2018-19969, CVE-2018-19970

BID: 106175, 106178, 106181