Bug 1771259 (CVE-2019-12385) - CVE-2019-12385 ampache_browser: SQL injection leads to compromise admin account
Summary: CVE-2019-12385 ampache_browser: SQL injection leads to compromise admin account
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2019-12385
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1771260
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-12 05:01 UTC by Dhananjay Arunesh
Modified: 2020-05-06 12:59 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-12 06:51:10 UTC
Embargoed:

Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-11-12 05:01:36 UTC 
  An issue was discovered in Ampache through 3.9.1. The search engine is
  affected by a SQL Injection, so any user able to perform
  lib/class/search.class.php searches (even guest users) can dump any data
  contained in the database (sessions, hashed passwords, etc.). This may lead
  to a full compromise of admin accounts, when combined with the weak password
  generator algorithm used in the lostpassword functionality.

Reference:
https://www.tarlogic.com/en/blog/vulnerabilities-in-ampache/
Comment 1 Dhananjay Arunesh 2019-11-12 05:01:48 UTC 
Created ampache_browser tracking bugs for this issue:

Affects: fedora-all [bug 1771260]
Comment 2 Product Security DevOps Team 2019-11-12 06:51:10 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Note You need to log in before you can comment on or make changes to this bug.