CVE-2005-4349

CVSS V2 Medium 6.5 CVSS V3 None

Description

** DISPUTED ** SQL injection vulnerability in server_privileges.php in phpMyAdmin 2.7.0 allows remote authenticated users to execute arbitrary SQL commands via the (1) dbname and (2) checkprivs parameters. NOTE: the vendor and a third party have disputed this issue, saying that the main task of the program is to support query execution by authenticated users, and no external attack scenario exists without an auto-login configuration. Thus it is likely that this issue will be REJECTED. However, a closely related CSRF issue has been assigned CVE-2005-4450.

Overview

CVE ID
CVE-2005-4349

Assigner
cve@mitre.org

Vulnerability Status
Modified

Published Version
2005-12-19T11:03:00

Last Modified Date
2018-10-19T15:40:50

Weakness Enumerations

CWE	URL
CWE-89	http://cwe.mitre.org/data/definitions/89.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0:::::::*	1	OR

CVSS Version 2

Version
2.0

Vector String
AV:N/AC:L/Au:S/C:P/I:P/A:P

Access Vector
NETWORK

Access Compatibility
LOW

Authentication
SINGLE

Confidentiality Impact
PARTIAL

Integrity Impact
PARTIAL

Availability Impact
PARTIAL

Base Score
6.5

Severity
MEDIUM

Exploitability Score
8

Impact Score
6.4

References

Reference URL	Reference Tags
http://secunia.com/advisories/18113	Vendor Advisory
http://securityreason.com/securityalert/270
http://www.vupen.com/english/advisories/2005/2995	Vendor Advisory
http://marc.info/?l=bugtraq&m=113486637512821&w=2
http://www.securityfocus.com/archive/1/419832/100/0/threaded
http://www.securityfocus.com/archive/1/419829/100/0/threaded

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2005-4349
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4349

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 18:04:19				Added to TrackCVE