CVE-2011-4107
medium
CVSS v3
6.5
CVSS v2
4.3
VIR risk
6.5
Description
phpMyAdmin vulnerable to XML external entity (XXE) injection attack
Predictions
Exploit likelihood
75%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2011-4107
Vendor advisory: secalert@redhat.com — http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php
Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/46447
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| fedora | 14 | affected | |
| fedora | 15 | affected | |
| fedora | 16 | affected | |
| debian | 5.0 | affected | |
| debian | bookworm | fixed | 4:3.4.7.1-1 |
| debian | bullseye | fixed | 4:3.4.7.1-1 |
| debian | sid | fixed | 4:3.4.7.1-1 |
| debian | trixie | fixed | 4:3.4.7.1-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | phpmyadmin/phpmyadmin | >=3.4.0,<3.4.7.1 | 3.4.7.1 |
| Packagist | phpmyadmin/phpmyadmin | >=3.3.0,<3.3.10.5 | 3.3.10.5 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| phpmyadmin | phpmyadmin | {"startIncluding":"3.3.0.0","endExcluding":"3.3.10.5"} | 3.3.10.5 |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069635.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069649.html
- http://osvdb.org/76798
- http://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt
- http://seclists.org/fulldisclosure/2011/Nov/21
- http://secunia.com/advisories/46447
- http://securityreason.com/securityalert/8533
- http://www.debian.org/security/2012/dsa-2391
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:198
- http://www.openwall.com/lists/oss-security/2011/11/03/3
- http://www.openwall.com/lists/oss-security/2011/11/03/5
- http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php
- http://www.securityfocus.com/bid/50497
- http://www.wooyun.org/bugs/wooyun-2010-03185
- https://bugzilla.redhat.com/show_bug.cgi?id=751112
- https://exchange.xforce.ibmcloud.com/vulnerabilities/71108
- https://security-tracker.debian.org/tracker/CVE-2011-4107
- https://nvd.nist.gov/vuln/detail/CVE-2011-4107
- https://github.com/phpmyadmin/phpmyadmin/commit/2fbf631384fd8cded55f4500cb87b129442f9ed2
- https://github.com/phpmyadmin/phpmyadmin/commit/34d99de000de9d15cfdf5e9cc8b7682d51110bbd
- https://github.com/phpmyadmin/phpmyadmin/commit/5fa86b8e81565c15ddbc359e8f59ecd829a2b717
- https://github.com/phpmyadmin/phpmyadmin/commit/a5e206fbd2ca814042cfc1bb7dd3b40c28ce3fb5
- https://github.com/phpmyadmin/phpmyadmin
CWEs
CWE-611
Verify integrity in audit chain (admin only). AS-IS.