#VU33346 Cryptographic issues in phpMyAdmin - CVE-2016-9847
Published: December 11, 2016 / Updated: August 4, 2020
Vulnerability identifier: #VU33346
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-9847
CWE-ID: CWE-310
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
phpMyAdmin
phpMyAdmin
Software vendor:
phpMyAdmin
phpMyAdmin
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An issue was discovered in phpMyAdmin. When the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created uses a weak algorithm. This could allow an attacker to determine the user's blowfish_secret and potentially decrypt their cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Remediation
Install update from vendor's website.