Lucene search

K
phpmyadminPhpMyAdminPHPMYADMIN:PMASA-2015-1
HistoryMar 04, 2015 - 12:00 a.m.

Risk of BREACH attack due to reflected parameter.

2015-03-0400:00:00
www.phpmyadmin.net
23

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.007

Percentile

80.5%

PMASA-2015-1

Announcement-ID: PMASA-2015-1

Date: 2015-03-04

Summary

Risk of BREACH attack due to reflected parameter.

Description

With a large number of crafted requests it was possible to infer the CSRF token by a BREACH attack.

Severity

We consider this vulnerability to be non critical.

Mitigation factor

This vulnerability can only be exploited in the presence of another vulnerability that allows the attacker to inject JavaScript into victim’s browser.

Affected Versions

Versions 4.0.x (prior to 4.0.10.9), 4.2.x (prior to 4.2.13.2) and 4.3.x (prior to 4.3.11.1) are affected.

Solution

Upgrade to phpMyAdmin 4.0.10.9 or newer, or 4.2.13.2 or newer, or 4.3.11.1 or newer, or apply the patch listed below.

References

Thanks to Jian Jiang (<https://www.linkedin.com/pub/jian-jiang/3a/660/775&gt;) and Xiaofeng Zheng ([email protected]) for reporting this vulnerability.

Assigned CVE ids: CVE-2015-2206

CWE ids: CWE-661 CWE-352

Patches

The following commits have been made to fix this issue:

The following commits have been made on the 4.0 branch to fix this issue:

The following commits have been made on the 4.2 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.007

Percentile

80.5%