CVE-2009-1149

Description

CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB streaming feature in phpMyAdmin before 3.1.3.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the (1) c_type and possibly (2) file_type parameters.

How to fix CVE-2009-1149

To remediate CVE-2009-1149, upgrade the affected package to a fixed version below.

• Debian/phpmyadmin—upgrade to 4:3.1.3.1-1 or later
• Packagist/phpmyadmin/phpmyadmin—upgrade to 3.1.3.1 or later

Is CVE-2009-1149 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 4:3.1.3.1-1
• from 0, < 3.1.3.1

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2009-1149
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2009-1149
• PATCHgithub.com/phpmyadmin/composer
• WEBlists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html