CVE-2016-6606
Publication date 11 December 2016
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user’s browser cookie file to decrypt the username and password. Furthermore, the same initialization vector (IV) is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the same - but the attacker can not directly decode these values from the cookie as it is still hashed. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
From the Ubuntu Security Team
It was discovered that phpmyadmin incorrectly handled cookie encryption. An attacker with access to cookies could possibly use this to determine information about user credentials.
Status
Package | Ubuntu Release | Status |
---|---|---|
phpmyadmin | 18.04 LTS bionic |
Not affected
|
16.04 LTS xenial |
Fixed 4:4.5.4.1-2ubuntu2.1
|
|
14.04 LTS trusty |
Fixed 4:4.0.10-1ubuntu0.1
|
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.1 · High |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |