Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title phpMyAdmin: Multiple vulnerabilities
Informations
Name GLSA-201701-32 First vendor Publication 2017-01-11
Vendor Gentoo Last vendor Modification 2017-01-11
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities have been found in phpMyAdmin, the worst of which could lead to arbitrary code execution.

Background

phpMyAdmin is a web-based management tool for MySQL databases.

Description

Multiple vulnerabilities have been discovered in phpMyAdmin. Please review the CVE identifiers referenced below for details.

Impact

A authenticated remote attacker could exploit these vulnerabilities to execute arbitrary PHP Code, inject SQL code, or to conduct Cross-Site Scripting attacks.

In certain configurations, an unauthenticated remote attacker could cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All phpMyAdmin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-4.6.5.1"

References

[ 1 ] CVE-2016-4412
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4412
[ 2 ] CVE-2016-5097
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5097
[ 3 ] CVE-2016-5098
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5098
[ 4 ] CVE-2016-5099
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5099
[ 5 ] CVE-2016-5701
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5701
[ 6 ] CVE-2016-5702
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5702
[ 7 ] CVE-2016-5703
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5703
[ 8 ] CVE-2016-5704
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5704
[ 9 ] CVE-2016-5705
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5705
[ 10 ] CVE-2016-5706
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5706
[ 11 ] CVE-2016-5730
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5730
[ 12 ] CVE-2016-5731
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5731
[ 13 ] CVE-2016-5732
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5732
[ 14 ] CVE-2016-5733
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5733
[ 15 ] CVE-2016-5734
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5734
[ 16 ] CVE-2016-5739
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5739
[ 17 ] CVE-2016-6606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6606
[ 18 ] CVE-2016-6607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6607
[ 19 ] CVE-2016-6608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6608
[ 20 ] CVE-2016-6609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6609
[ 21 ] CVE-2016-6610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6610
[ 22 ] CVE-2016-6611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6611
[ 23 ] CVE-2016-6612
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6612
[ 24 ] CVE-2016-6613
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6613
[ 25 ] CVE-2016-6614
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6614
[ 26 ] CVE-2016-6615
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6615
[ 27 ] CVE-2016-6616
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6616
[ 28 ] CVE-2016-6617
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6617
[ 29 ] CVE-2016-6618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6618
[ 30 ] CVE-2016-6619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6619
[ 31 ] CVE-2016-6620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6620
[ 32 ] CVE-2016-6622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6622
[ 33 ] CVE-2016-6623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6623
[ 34 ] CVE-2016-6624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6624
[ 35 ] CVE-2016-6625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6625
[ 36 ] CVE-2016-6626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6626
[ 37 ] CVE-2016-6627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6627
[ 38 ] CVE-2016-6628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6628
[ 39 ] CVE-2016-6629
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6629
[ 40 ] CVE-2016-6630
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6630
[ 41 ] CVE-2016-6631
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6631
[ 42 ] CVE-2016-6632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6632
[ 43 ] CVE-2016-6633
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6633
[ 44 ] CVE-2016-9847
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9847
[ 45 ] CVE-2016-9848
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9848
[ 46 ] CVE-2016-9849
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9849
[ 47 ] CVE-2016-9850
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9850
[ 48 ] CVE-2016-9851
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9851
[ 49 ] CVE-2016-9852
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9852
[ 50 ] CVE-2016-9853
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9853
[ 51 ] CVE-2016-9854
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9854
[ 52 ] CVE-2016-9855
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9855
[ 53 ] CVE-2016-9856
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9856
[ 54 ] CVE-2016-9857
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9857
[ 55 ] CVE-2016-9858
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9858
[ 56 ] CVE-2016-9859
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9859
[ 57 ] CVE-2016-9860
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9860
[ 58 ] CVE-2016-9861
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9861
[ 59 ] CVE-2016-9862
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9862
[ 60 ] CVE-2016-9863
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9863
[ 61 ] CVE-2016-9864
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9864
[ 62 ] CVE-2016-9865
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9865
[ 63 ] CVE-2016-9866
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9866

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

https://security.gentoo.org/glsa/201701-32

Original Source

Url : http://security.gentoo.org/glsa/glsa-201701-32.xml

CWE : Common Weakness Enumeration

% Id Name
22 % CWE-200 Information Exposure
17 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
16 % CWE-254 Security Features
10 % CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)
10 % CWE-20 Improper Input Validation
5 % CWE-399 Resource Management Errors
3 % CWE-502 Deserialization of Untrusted Data
3 % CWE-310 Cryptographic Issues
3 % CWE-94 Failure to Control Generation of Code ('Code Injection')
3 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)
2 % CWE-352 Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
2 % CWE-264 Permissions, Privileges, and Access Controls
2 % CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)
2 % CWE-77 Improper Sanitization of Special Elements used in a Command ('Command Injection')
2 % CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 435
Os 1
Os 2

Snort® IPS/IDS

Date Description
2018-07-31 phpMyAdmin preg_replace null byte injection attempt
RuleID : 47046 - Revision : 1 - Type : SERVER-WEBAPP
2018-07-31 phpMyAdmin preg_replace null byte injection attempt
RuleID : 47045 - Revision : 1 - Type : SERVER-WEBAPP

Nessus® Vulnerability Scanner

Date Description
2018-07-09 Name : The remote Debian host is missing a security update.
File : debian_DLA-1415.nasl - Type : ACT_GATHER_INFO
2017-04-25 Name : The remote web server hosts a PHP application that is affected by multiple vu...
File : phpmyadmin_4_6_3.nasl - Type : ACT_GATHER_INFO
2017-04-25 Name : The remote web server hosts a PHP application that is affected by multiple vu...
File : phpmyadmin_4_4_15_7.nasl - Type : ACT_GATHER_INFO
2017-04-25 Name : The remote web server hosts a PHP application that is affected by multiple vu...
File : phpmyadmin_4_0_10_16.nasl - Type : ACT_GATHER_INFO
2017-04-11 Name : The remote web server hosts a PHP application that is affected by multiple vu...
File : phpmyadmin_pmasa_2017_1.nasl - Type : ACT_GATHER_INFO
2017-01-12 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201701-32.nasl - Type : ACT_GATHER_INFO
2016-12-27 Name : The remote Debian host is missing a security update.
File : debian_DLA-757.nasl - Type : ACT_GATHER_INFO
2016-12-12 Name : The remote Fedora host is missing a security update.
File : fedora_2016-2424eeca35.nasl - Type : ACT_GATHER_INFO
2016-12-08 Name : The remote Fedora host is missing a security update.
File : fedora_2016-7fc142da66.nasl - Type : ACT_GATHER_INFO
2016-12-05 Name : The remote Fedora host is missing a security update.
File : fedora_2016-6576a8536b.nasl - Type : ACT_GATHER_INFO
2016-11-28 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_6fe72178b2e311e68b2a6805ca0b3d42.nasl - Type : ACT_GATHER_INFO
2016-11-21 Name : The remote web server hosts a PHP application that is affected by multiple vu...
File : phpmyadmin_pmasa_2016_29.nasl - Type : ACT_GATHER_INFO
2016-09-19 Name : The remote Debian host is missing a security update.
File : debian_DLA-626.nasl - Type : ACT_GATHER_INFO
2016-08-30 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-1021.nasl - Type : ACT_GATHER_INFO
2016-08-30 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-1027.nasl - Type : ACT_GATHER_INFO
2016-08-18 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_ef70b201645d11e69cdc6805ca0b3d42.nasl - Type : ACT_GATHER_INFO
2016-07-25 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3627.nasl - Type : ACT_GATHER_INFO
2016-07-18 Name : The remote Debian host is missing a security update.
File : debian_DLA-551.nasl - Type : ACT_GATHER_INFO
2016-07-15 Name : The remote Fedora host is missing a security update.
File : fedora_2016-9df3915036.nasl - Type : ACT_GATHER_INFO
2016-07-15 Name : The remote Fedora host is missing a security update.
File : fedora_2016-81c2dabf20.nasl - Type : ACT_GATHER_INFO
2016-07-15 Name : The remote Fedora host is missing a security update.
File : fedora_2016-56ee5cb8b6.nasl - Type : ACT_GATHER_INFO
2016-07-14 Name : The remote Fedora host is missing a security update.
File : fedora_2016-e3240782ec.nasl - Type : ACT_GATHER_INFO
2016-07-14 Name : The remote Fedora host is missing a security update.
File : fedora_2016-cd05bd994a.nasl - Type : ACT_GATHER_INFO
2016-07-14 Name : The remote Fedora host is missing a security update.
File : fedora_2016-55261b6815.nasl - Type : ACT_GATHER_INFO
2016-07-05 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_e7028e1d3f9b11e681f96805ca0b3d42.nasl - Type : ACT_GATHER_INFO
2016-06-29 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-806.nasl - Type : ACT_GATHER_INFO
2016-06-29 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-804.nasl - Type : ACT_GATHER_INFO
2016-06-14 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-712.nasl - Type : ACT_GATHER_INFO
2016-06-01 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-655.nasl - Type : ACT_GATHER_INFO
2016-05-26 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_00ec1be122bb11e69ead6805ca0b3d42.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2017-01-13 13:24:47
  • Multiple Updates
2017-01-11 17:22:57
  • First insertion