GHSA-9xhq-pm7v-693p

Source

https://github.com/advisories/GHSA-9xhq-pm7v-693p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9xhq-pm7v-693p/GHSA-9xhq-pm7v-693p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9xhq-pm7v-693p

Aliases

CVE-2016-9847

Published

2022-05-17T02:36:42Z

Modified

2024-11-30T05:43:40.751733Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

phpMyAdmin Cryptographic Vulnerability

Details

An issue was discovered in phpMyAdmin. When the user does not specify a blowfishsecret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created uses a weak algorithm. This could allow an attacker to determine the user's blowfishsecret and potentially decrypt their cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

Database specific

{
    "nvd_published_at": "2016-12-11T02:59:00Z",
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-31T21:54:58Z"
}

References

Affected packages

Packagist / phpmyadmin/phpmyadmin

Package

Name: phpmyadmin/phpmyadmin
Purl: pkg:composer/phpmyadmin/phpmyadmin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.6

Fixed

4.6.5

Packagist / phpmyadmin/phpmyadmin

Package

Name: phpmyadmin/phpmyadmin
Purl: pkg:composer/phpmyadmin/phpmyadmin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.4

Fixed

4.4.15.9

Packagist / phpmyadmin/phpmyadmin

Package

Name: phpmyadmin/phpmyadmin
Purl: pkg:composer/phpmyadmin/phpmyadmin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0

Fixed

4.0.10.18

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.4.1

4.0.4.2

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.10.1

4.0.10.2

4.0.10.3

4.0.10.4

4.0.10.5

4.0.10.6

4.0.10.7

4.0.10.8

4.0.10.9