UBUNTU-CVE-2016-6606

Source
https://ubuntu.com/security/CVE-2016-6606
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2016/UBUNTU-CVE-2016-6606.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2016-6606
Related
Published
2016-12-11T02:59:00Z
Modified
2016-12-11T02:59:00Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. Furthermore, the same initialization vector (IV) is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the same - but the attacker can not directly decode these values from the cookie as it is still hashed. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

References

Affected packages

Ubuntu:14.04:LTS / phpmyadmin

Package

Name
phpmyadmin
Purl
pkg:deb/ubuntu/phpmyadmin?arch=src?distro=trusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4:4.0.10-1ubuntu0.1

Affected versions

4:4.*

4:4.0.6-1
4:4.0.8-1
4:4.0.9-1
4:4.0.10-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "high",
    "binaries": [
        {
            "binary_version": "4:4.0.10-1ubuntu0.1",
            "binary_name": "phpmyadmin"
        }
    ]
}

Ubuntu:16.04:LTS / phpmyadmin

Package

Name
phpmyadmin
Purl
pkg:deb/ubuntu/phpmyadmin?arch=src?distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4:4.5.4.1-2ubuntu2.1

Affected versions

4:4.*

4:4.4.13.1-1
4:4.5.0.2-2
4:4.5.1-1
4:4.5.1-2
4:4.5.1-3
4:4.5.2-1
4:4.5.2-2
4:4.5.3.1-1
4:4.5.4-1
4:4.5.4.1-2
4:4.5.4.1-2ubuntu1
4:4.5.4.1-2ubuntu2

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "high",
    "binaries": [
        {
            "binary_version": "4:4.5.4.1-2ubuntu2.1",
            "binary_name": "phpmyadmin"
        }
    ]
}