phpMyAdmin 4.8.5 releases: fix arbitrary file read & SQL injection vulnerability

phpmyadmin vulnerability

phpMyAdmin is a free software tool written in PHP that is intended to handle the administration of a MySQL or MariaDB database server. You can use phpMyAdmin to perform most administration tasks, including creating a database, running queries, and adding user accounts.

phpmyadmin

phpMyAdmin 4.8.5 was released to fix two critical security flaws. The security vulnerabilities are below:
CVE-2019-6799: arbitrary file read vulnerability
An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server’s user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of “options(MYSQLI_OPT_LOCAL_INFILE” calls.
CVE- 2019-6798: SQL injection
A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature.

Solution

Upgrade to phpMyAdmin 4.8.5