NVD

Id
21290  
Name
CVE-2016-6606  
Description
An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user"s browser cookie file to decrypt the username and password. Furthermore, the same initialization vector (IV) is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the same - but the attacker can not directly decode these values from the cookie as it is still hashed. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.  
Reject
 
CVSS Version
2  
CVSS Score
5  
Severity
Medium  
CVSS Base Score
5  
CVSS Impact Subscore
2.9  
CVSS Exploit Subscore
10  
CVSS Vector
(AV:N/AC:L/Au:N/C:P/I:N/A:N)  
Pub Date
2017-01-19  
Published
2016-12-10  
Modified Date
2016-12-13  
Seq
2016-6606  

Actions

Related NVD References

Id NVD Id NVD No. Reference Actions
115511 21290 CVE-2016-6606 94114  View
115512 21290 CVE-2016-6606 https://www.phpmyadmin.net/security/PMASA-2016-29  View

Related JVN

Id Name Title Summary Cveinfo Name Cveinfo Id Nvdinfo Name Nvdinfo Id Cvssv2 Cvssv3 Jvnurl Published Date Last Updated Date Actions
5427 JVNDB-2016-006200 phpMyAdmin の Cookie の暗号化におけるユーザ名およびパスワードを解読される脆弱性 phpMyAdmin の Cookie の暗号化には、ユーザ名およびパスワードを解読される脆弱性が存在します。 CVE-2016-6606 93113 CVE-2016-6606 21290 5 8.1 http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-006200.html 2016-07-07 2016-12-15 View