CVE-2011-2719

critical

Description

libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3.10.3 and 3.4.x before 3.4.3.2 does not properly manage sessions associated with Swekey authentication, which allows remote attackers to modify the SESSION superglobal array, other superglobal arrays, and certain swekey.auth.lib.php local variables via a crafted query string, a related issue to CVE-2011-2505.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/68769

https://bugzilla.redhat.com/show_bug.cgi?id=725384

http://www.xxor.se/advisories/phpMyAdmin_3.x_Conditional_Session_Manipulation.txt

http://www.securityfocus.com/bid/48874

http://www.securityfocus.com/archive/1/519155/100/0/threaded

http://www.securityfocus.com/archive/1/518967/100/0/threaded

http://www.phpmyadmin.net/home_page/security/PMASA-2011-12.php

http://www.openwall.com/lists/oss-security/2011/07/26/10

http://www.openwall.com/lists/oss-security/2011/07/25/4

http://www.mandriva.com/security/advisories?name=MDVSA-2011:124

http://www.debian.org/security/2011/dsa-2286

http://securityreason.com/securityalert/8322

http://secunia.com/advisories/45515

http://secunia.com/advisories/45365

http://secunia.com/advisories/45315

http://seclists.org/fulldisclosure/2011/Jul/300

http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=e7bb42c002885c2aca7aba4d431b8c63ae4de9b7

http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=571cdc6ff4bf375871b594f4e06f8ad3159d1754

http://osvdb.org/74112

http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063418.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063410.html

Details

Source: Mitre, NVD

Published: 2011-08-01

Updated: 2023-02-13

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical