Cookie Encryption Vulnerability in phpMyAdmin
CVE-2016-6606

8.1HIGH

Key Information:

Vendor

PHPmyadmin

Vendor
CVE Published:
11 December 2016

What is CVE-2016-6606?

A flaw exists in the cookie encryption mechanism within phpMyAdmin that makes it susceptible to padding oracle attacks. This vulnerability enables an attacker with access to a user's browser cookie file to decrypt sensitive information, namely the username and password. A significant concern arises from the re-use of the same initialization vector (IV) for hashing the username and password together in the phpMyAdmin cookie. If a user's password matches their username, an attacker who examines the cookie can easily deduce this correlation, even if they cannot directly decode the hash. Affected versions include phpMyAdmin 4.6.x (before 4.6.4), 4.4.x (before 4.4.15.8), and 4.0.x (before 4.0.10.17).

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.