Vulnerability Details CVE-2016-2041
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.01
EPSS Ranking 76.6%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html
- http://www.debian.org/security/2016/dsa-3627
- http://www.phpmyadmin.net/home_page/security/PMASA-2016-5.php
- https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e49
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html
- http://www.debian.org/security/2016/dsa-3627
- http://www.phpmyadmin.net/home_page/security/PMASA-2016-5.php
- https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e49
Products affected by CVE-2016-2041
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.10
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.11
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.12
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.2
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.3
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.4
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.5
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.6
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.7
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.8
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.1
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.2
-
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3
-
cpe:2.3:o:fedoraproject:fedora:22
-
cpe:2.3:o:fedoraproject:fedora:23
-
cpe:2.3:o:opensuse:leap:42.1
-
cpe:2.3:o:opensuse:opensuse:13.1
-
cpe:2.3:o:opensuse:opensuse:13.2