CVE-2016-2039 — MEDIUM (5.3)

Vulnerability Description

libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value.

CVSS Score

5.3

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Opensuse	Leap	42.1
Opensuse	Opensuse	13.1
Phpmyadmin	Phpmyadmin	4.0.0
Fedoraproject	Fedora	23

Related Weaknesses (CWE)

CWE-200

References

http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.hThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.hThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.htmlThird Party Advisory
http://www.debian.org/security/2016/dsa-3627
http://www.phpmyadmin.net/home_page/security/PMASA-2016-2.phpPatchVendor Advisory
https://github.com/phpmyadmin/phpmyadmin/commit/cb7748ac9cffcd1cd0f3081499cd4aafPatch
https://github.com/phpmyadmin/phpmyadmin/commit/f20970d32c3dfdf82aef7b6c244da1f7Patch
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.hThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.hThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.htmlThird Party Advisory
http://www.debian.org/security/2016/dsa-3627
http://www.phpmyadmin.net/home_page/security/PMASA-2016-2.phpPatchVendor Advisory
https://github.com/phpmyadmin/phpmyadmin/commit/cb7748ac9cffcd1cd0f3081499cd4aafPatch

FAQ

What is CVE-2016-2039?

CVE-2016-2039 is a vulnerability with a CVSS score of 5.3 (MEDIUM). libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass inte...

How severe is CVE-2016-2039?

CVE-2016-2039 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-2039?

Check the references section above for vendor advisories and patch information. Affected products include: Opensuse Leap, Opensuse Opensuse, Phpmyadmin Phpmyadmin, Fedoraproject Fedora.