Main Vulnerability Database Vulnerabilities #VU33608

Command Injection in phpMyAdmin - CVE-2016-6609

Published: December 11, 2016 / Updated: August 4, 2020

Vulnerability identifier: #VU33608

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2016-6609

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: phpMyAdmin

Affected software:
phpMyAdmin

Detailed vulnerability description

The vulnerability allows a remote authenticated user to execute arbitrary code.

An issue was discovered in phpMyAdmin. A specially crafted database name could be used to run arbitrary PHP commands through the array export feature. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

How to mitigate CVE-2016-6609

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/94112
https://lists.debian.org/debian-lts-announce/2018/07/msg00006.html
https://security.gentoo.org/glsa/201701-32
https://www.phpmyadmin.net/security/PMASA-2016-32

Command Injection in phpMyAdmin - CVE-2016-6609

Detailed vulnerability description

How to mitigate CVE-2016-6609

Sources

Please verify you're human