Lucene search

K
cveMitreCVE-2017-18264
HistoryMay 01, 2018 - 5:29 p.m.

CVE-2017-18264

2018-05-0117:29:00
mitre
web.nvd.nist.gov
93
phpmyadmin
cve
security
vulnerability
php
authentication

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.002

Percentile

59.8%

An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg[‘Servers’][$i][‘AllowNoPassword’] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg[‘Servers’][$i][‘AllowNoPassword’] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given ‘’ as the first argument.

Affected configurations

Nvd
Node
phpmyadminphpmyadminRange4.0.04.0.10.20
Node
phpmyadminphpmyadminRange4.4.04.4.15.10
Node
phpmyadminphpmyadminRange4.6.04.6.6
Node
phpmyadminphpmyadminMatch4.7.0beta1
OR
phpmyadminphpmyadminMatch4.7.0rc1
Node
debiandebian_linuxMatch8.0
VendorProductVersionCPE
phpmyadminphpmyadmin*cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*
phpmyadminphpmyadmin4.7.0cpe:2.3:a:phpmyadmin:phpmyadmin:4.7.0:beta1:*:*:*:*:*:*
phpmyadminphpmyadmin4.7.0cpe:2.3:a:phpmyadmin:phpmyadmin:4.7.0:rc1:*:*:*:*:*:*
debiandebian_linux8.0cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.002

Percentile

59.8%