Alpine: multiple phpmyadmin packages: security update to 4.4.15.8-r0

critical Tenable Self-Hosted Container Security Plugin ID 406391

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in phpMyAdmin involving the $cfg['ArbitraryServerRegexp'] configuration directive.
An attacker could reuse certain cookie values in a way of bypassing the servers defined by
ArbitraryServerRegexp. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x
versions (prior to 4.0.10.17) are affected. (CVE-2016-6629)

- An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is
vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser
cookie file to decrypt the username and password. Furthermore, the same initialization vector (IV) is used
to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as
their username, an attacker who examines the browser cookie can see that they are the same - but the
attacker can not directly decode these values from the cookie as it is still hashed. All 4.6.x versions
(prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are
affected. (CVE-2016-6606)

- XSS issues were discovered in phpMyAdmin. This affects Zoom search (specially crafted column content can
be used to trigger an XSS attack); GIS editor (certain fields in the graphical GIS editor are not properly
escaped and can be used to trigger an XSS attack); Relation view; the following Transformations:
Formatted, Imagelink, JPEG: Upload, RegexValidation, JPEG inline, PNG inline, and transformation wrapper;
XML export; MediaWiki export; Designer; When the MySQL server is running with a specially-crafted log_bin
directive; Database tab; Replication feature; and Database search. All 4.6.x versions (prior to 4.6.4),
4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. (CVE-2016-6607)

- XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove
partitioning" functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x
versions (prior to 4.6.4) are affected. (CVE-2016-6608)

- An issue was discovered in phpMyAdmin. A specially crafted database name could be used to run arbitrary
PHP commands through the array export feature. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior
to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. (CVE-2016-6609)

See Also

https://security.alpinelinux.org/vuln/CVE-2016-6606

https://security.alpinelinux.org/vuln/CVE-2016-6607

https://security.alpinelinux.org/vuln/CVE-2016-6608

https://security.alpinelinux.org/vuln/CVE-2016-6609

https://security.alpinelinux.org/vuln/CVE-2016-6610

https://security.alpinelinux.org/vuln/CVE-2016-6611

https://security.alpinelinux.org/vuln/CVE-2016-6612

https://security.alpinelinux.org/vuln/CVE-2016-6613

https://security.alpinelinux.org/vuln/CVE-2016-6614

https://security.alpinelinux.org/vuln/CVE-2016-6615

https://security.alpinelinux.org/vuln/CVE-2016-6616

https://security.alpinelinux.org/vuln/CVE-2016-6617

https://security.alpinelinux.org/vuln/CVE-2016-6618

https://security.alpinelinux.org/vuln/CVE-2016-6619

https://security.alpinelinux.org/vuln/CVE-2016-6620

https://security.alpinelinux.org/vuln/CVE-2016-6622

https://security.alpinelinux.org/vuln/CVE-2016-6623

https://security.alpinelinux.org/vuln/CVE-2016-6624

https://security.alpinelinux.org/vuln/CVE-2016-6625

https://security.alpinelinux.org/vuln/CVE-2016-6626

https://security.alpinelinux.org/vuln/CVE-2016-6627

https://security.alpinelinux.org/vuln/CVE-2016-6628

https://security.alpinelinux.org/vuln/CVE-2016-6629

https://security.alpinelinux.org/vuln/CVE-2016-6630

https://security.alpinelinux.org/vuln/CVE-2016-6631

https://security.alpinelinux.org/vuln/CVE-2016-6632

https://security.alpinelinux.org/vuln/CVE-2016-6633

Plugin Details

Severity: Critical

ID: 406391

Version: Revision 1.24

Type: Local

Published: 10/31/2023

Updated: 3/13/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-6629

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 7/7/2016

Reference Information

CVE: CVE-2016-6606, CVE-2016-6607, CVE-2016-6608, CVE-2016-6609, CVE-2016-6610, CVE-2016-6611, CVE-2016-6612, CVE-2016-6613, CVE-2016-6614, CVE-2016-6615, CVE-2016-6616, CVE-2016-6617, CVE-2016-6618, CVE-2016-6619, CVE-2016-6620, CVE-2016-6622, CVE-2016-6623, CVE-2016-6624, CVE-2016-6625, CVE-2016-6626, CVE-2016-6627, CVE-2016-6628, CVE-2016-6629, CVE-2016-6630, CVE-2016-6631, CVE-2016-6632, CVE-2016-6633

BID: 92489, 92490, 92491, 92492, 92493, 92494, 92496, 92497, 92500, 92501, 93257, 93258, 94112, 94113, 94114, 94115, 94117, 94118, 94366, 95041, 95042, 95044, 95047, 95048, 95049, 95052, 95055