Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2016-2041

Disclosure Date: February 20, 2016 •

CVE-2016-2041 CVSS v3 Base Score: 7.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

High

Availability (A):

None

Vendors

fedoraproject,
opensuse,
phpmyadmin

Products

fedora 22,
fedora 23,
leap 42.1,
opensuse 13.1,
opensuse 13.2,
phpmyadmin 4.0.0,
phpmyadmin 4.0.1,
phpmyadmin 4.0.10,
phpmyadmin 4.0.10.1,
phpmyadmin 4.0.10.10,
phpmyadmin 4.0.10.11,
phpmyadmin 4.0.10.12,
phpmyadmin 4.0.10.2,
phpmyadmin 4.0.10.3,
phpmyadmin 4.0.10.4,
phpmyadmin 4.0.10.5,
phpmyadmin 4.0.10.6,
phpmyadmin 4.0.10.7,
phpmyadmin 4.0.10.8,
phpmyadmin 4.0.10.9,
phpmyadmin 4.4.0,
phpmyadmin 4.4.1,
phpmyadmin 4.4.1.1,
phpmyadmin 4.4.10,
phpmyadmin 4.4.11,
phpmyadmin 4.4.12,
phpmyadmin 4.4.13,
phpmyadmin 4.4.13.1,
phpmyadmin 4.4.14.1,
phpmyadmin 4.4.15,
phpmyadmin 4.4.15.1,
phpmyadmin 4.4.15.2,
phpmyadmin 4.4.15.3,
phpmyadmin 4.4.2,
phpmyadmin 4.4.3,
phpmyadmin 4.4.4,
phpmyadmin 4.4.5,
phpmyadmin 4.4.6,
phpmyadmin 4.4.6.1,
phpmyadmin 4.4.7,
phpmyadmin 4.4.8,
phpmyadmin 4.4.9,
phpmyadmin 4.5.0,
phpmyadmin 4.5.0.1,
phpmyadmin 4.5.0.2,
phpmyadmin 4.5.1,
phpmyadmin 4.5.2,
phpmyadmin 4.5.3

References

Canonical

CVE-2016-2041 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2041)

Advisory

http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html

DSA-3627 (http://www.debian.org/security/2016/dsa-3627)

http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html

http://www.phpmyadmin.net/home_page/security/PMASA-2016-5.php

https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e49

FEDORA-2016-e55278763e (http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html)

FEDORA-2016-e1fe01e96e (http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html)

Rapid7

Unknown

CVE-2016-2041

Unknown

Unknown

None

None

Network

CVE-2016-2041

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Advisory

Additional Info

Technical Analysis

Unknown

CVE-2016-2041

Unknown

Unknown

None

None

Network

CVE-2016-2041

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Advisory

Additional Info

Technical Analysis

Quick Cookie Notification