CVE-2016-2041 — Observable Discrepancy in Phpmyadmin

CWE-254 CWE-203 — Observable Discrepancy8 documents5 sources

Severity

7.5HIGHNVD

EPSS

1.0%

top 22.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpmyadmin Debian Phpmyadmin Fedoraproject Fedora +2 more

Timeline

PublishedFeb 20

Latest updateMay 14

Description

libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶debiandebian/phpmyadmin< phpmyadmin 4:4.5.4-1 (bookworm)

▶Packagistphpmyadmin/phpmyadmin4.0 — 4.0.10.13+2

▶Debianphpmyadmin/phpmyadmin< 4:4.5.4-1+3

▶NVDphpmyadmin/phpmyadmin43 versions+42

▶NVDopensuse/leap42.1

Also affects: Fedora 22, 23

Patches

Patch: www.phpmyadmin.net ↗Patch: github.com ↗Patch: www.phpmyadmin.net ↗

🔴Vulnerability Details

GHSA

phpMyAdmin Unsafe comparison of XSRF/CSRF token↗2022-05-14

▶

OSV

phpMyAdmin Unsafe comparison of XSRF/CSRF token↗2022-05-14

▶

OSV

CVE-2016-2041: libraries/common↗2016-02-20

▶

📋Vendor Advisories

Debian

CVE-2016-2041: phpmyadmin - libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4....↗2016

▶

💬Community

Bugzilla

CVE-2016-2038 CVE-2016-2039 CVE-2016-2040 CVE-2016-1927 CVE-2016-2041 CVE-2016-2043 CVE-2016-2044 CVE-2016-2045 phpmyadmin: various flaws [fedora-all]↗2016-01-28

▶

Bugzilla

CVE-2016-2038 CVE-2016-2039 CVE-2016-2040 CVE-2016-1927 CVE-2016-2041 CVE-2016-2043 CVE-2016-2044 CVE-2016-2045 phpmyadmin: various flaws [epel-all]↗2016-01-28

▶

Bugzilla

CVE-2016-2041 phpMyAdmin: Unsafe comparison of XSRF/CSRF token (PMASA-2016-5)↗2016-01-28

▶