CVE-2015-2206

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151331.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151914.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151931.html

http://lists.opensuse.org/opensuse-updates/2015-07/msg00008.html

http://www.debian.org/security/2015/dsa-3382

http://www.mandriva.com/security/advisories?name=MDVSA-2015:186

http://www.phpmyadmin.net/home_page/security/PMASA-2015-1.php

http://www.securityfocus.com/bid/72949

http://www.securitytracker.com/id/1031871

https://github.com/phpmyadmin/phpmyadmin/commit/b2f1e895038a5700bf8e81fb9a5da36cbdea0eeb

Details

Source: MITRE

Published: 2015-03-09

Updated: 2016-12-28

Type: CWE-200

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc2:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc3:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.2:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.5:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.6:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.7:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.8:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.9:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.2:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.3:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.4:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.5:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.6:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.7:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.8:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.0:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.1:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.2:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.3:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.4:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.5:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.6:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.7:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.7.1:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.8:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.8.1:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.9:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.9.1:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.10:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.10.1:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.11:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.12:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.13:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.2.13.1:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.0:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.1:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.2:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.3:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.4:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.5:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.6:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.7:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.8:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.9:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.10:*:*:*:*:*:*:*

cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.11:*:*:*:*:*:*:*

Tenable Plugins

View all (10 total)

IDNameProductFamilySeverity
9103phpMyAdmin 4.0.x < 4.0.10.9 / 4.2.x < 4.2.13.2 / 4.3.x < 4.3.11.1 Information Disclosure Vulnerability (PMASA-2015-1)Nessus Network MonitorCGI
medium
86665Debian DSA-3382-1 : phpmyadmin - security updateNessusDebian Local Security Checks
medium
86641Debian DLA-336-1 : phpmyadmin security updateNessusDebian Local Security Checks
medium
84533openSUSE Security Update : phpMyAdmin (openSUSE-2015-466)NessusSuSE Local Security Checks
medium
82486Mandriva Linux Security Advisory : phpmyadmin (MDVSA-2015:186)NessusMandriva Local Security Checks
medium
81860Fedora 21 : phpMyAdmin-4.3.11.1-1.fc21 (2015-3336)NessusFedora Local Security Checks
medium
81859Fedora 20 : phpMyAdmin-4.3.11.1-1.fc20 (2015-3329)NessusFedora Local Security Checks
medium
81818phpMyAdmin 4.0.x < 4.0.10.9 / 4.2.x < 4.2.13.2 / 4.3.x < 4.3.11.1 Information Disclosure Vulnerability (PMASA-2015-1)NessusCGI abuses
medium
81718Fedora 22 : phpMyAdmin-4.3.11.1-1.fc22 (2015-3287)NessusFedora Local Security Checks
medium
81683FreeBSD : phpMyAdmin -- Risk of BREACH attack due to reflected parameter (81b4c118-c586-11e4-8495-6805ca0b3d42)NessusFreeBSD Local Security Checks
medium