CVE-2009-1149 — Improper Input Validation in Phpmyadmin

CWE-20 — Improper Input Validation CWE-113 — HTTP Request/Response Splitting6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 27.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpmyadmin Debian Phpmyadmin

Timeline

PublishedMar 26

Latest updateMay 2

Description

CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB streaming feature in phpMyAdmin before 3.1.3.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the (1) c_type and possibly (2) file_type parameters.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages4 packages

▶debiandebian/phpmyadmin< phpmyadmin 4:3.1.3.1-1 (bookworm)

▶Packagistphpmyadmin/phpmyadmin< 3.1.3.1

▶Debianphpmyadmin/phpmyadmin< 4:3.1.3.1-1+3

▶NVDphpmyadmin/phpmyadmin3.1.3+5

Patches

Patch: phpmyadmin.svn.sourceforge.net ↗Patch: www.phpmyadmin.net ↗Patch: phpmyadmin.svn.sourceforge.net ↗

🔴Vulnerability Details

OSV

phpMyAdmin HTTP Response Splitting Vulnerability↗2022-05-02

▶

GHSA

phpMyAdmin HTTP Response Splitting Vulnerability↗2022-05-02

▶

OSV

CVE-2009-1149: CRLF injection vulnerability in bs_disp_as_mime_type↗2009-03-26

▶

📋Vendor Advisories

Debian

CVE-2009-1149: phpmyadmin - CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB streaming f...↗2009

▶

Red Hat

phpMyAdmin: multiple security fixes in 3.1.3.1 (PMASA-2009-{1,2,3})↗

▶