Main Vulnerability Database Vulnerabilities #VU33346

#VU33346 Cryptographic issues in phpMyAdmin - CVE-2016-9847

Published: December 11, 2016 / Updated: August 4, 2020

Vulnerability identifier: #VU33346

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-9847

CWE-ID: CWE-310

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
phpMyAdmin

Software vendor:
phpMyAdmin

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

An issue was discovered in phpMyAdmin. When the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created uses a weak algorithm. This could allow an attacker to determine the user's blowfish_secret and potentially decrypt their cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

Remediation

Install update from vendor's website.

#VU33346 Cryptographic issues in phpMyAdmin - CVE-2016-9847

Description

Remediation

External links