Announcement-ID: PMASA-2025-3
Date: 2025-01-21
glibc/iconv Vulnerability (CVE-2024-2961)
There was a vulnerability found in glibc/iconv that could potentially affect phpMyAdmin under specific circumstances.
By default, phpMyAdmin is not vulnerable, but since we use iconv and a potential exploit could possibly exist, we are publishing this PMASA to include the full details we have determined.
The PHP group has posted a statement about the vulnerability.
In the default configuration, phpMyAdmin is not affected, so we do not consider this to be severe.
The following PHP requirements must be met for a system to be vulnerable: * Glibc security updates from the distribution have not been installed * And the iconv extension is loaded * And the vulnerable character set has not been removed from gconv-modules-extra.conf In combination, the following phpMyAdmin requirements must also be met for the attack to potentially succeed: * The user must be authenticated to use the export feature * $cfg['RecodingEngine'] must be set to 'iconv' or to 'auto'. The default value is 'auto', which uses the iconv extension if available * The charset 'ISO-2022-CN-EXT' must be included in $cfg['AvailableCharsets'], which is not included by default. * Then choosing to convert to the character set ISO-2022-CN-EXT before exporting to a file
phpMyAdmin versions 5.x prior to 5.2.2 are affected.
Upgrade to phpMyAdmin 5.2.2 or newer or apply patch listed below.
Assigned CVE ids: CVE-2024-2961
CWE ids: CWE-661
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.