CVE-2016-9847 — Phpmyadmin vulnerability

CWE-3106 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.4%

top 37.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpmyadmin Debian Phpmyadmin

Timeline

PublishedDec 11

Latest updateMay 17

Description

An issue was discovered in phpMyAdmin. When the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created uses a weak algorithm. This could allow an attacker to determine the user's blowfish_secret and potentially decrypt their cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/phpmyadmin< phpmyadmin 4:4.6.5.1-1 (bookworm)

▶Packagistphpmyadmin/phpmyadmin4.6 — 4.6.5+2

▶Debianphpmyadmin/phpmyadmin< 4:4.6.5.1-1+3

▶NVDphpmyadmin/phpmyadmin63 versions+62

Patches

Patch: www.phpmyadmin.net ↗Patch: www.phpmyadmin.net ↗

🔴Vulnerability Details

OSV

phpMyAdmin Cryptographic Vulnerability↗2022-05-17

▶

GHSA

phpMyAdmin Cryptographic Vulnerability↗2022-05-17

▶

OSV

CVE-2016-9847: An issue was discovered in phpMyAdmin↗2016-12-11

▶

📋Vendor Advisories

Debian

CVE-2016-9847: phpmyadmin - An issue was discovered in phpMyAdmin. When the user does not specify a blowfish...↗2016

▶

💬Community

Bugzilla

CVE-2014-9847 ImageMagick: incorrect handling of "previous" image in the JNG decoder↗2016-06-07

▶