Information disclosure in phpMyAdmin - CVE-2016-6613
Published: December 11, 2016 / Updated: August 4, 2020
Vulnerability identifier: #VU33612
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-6613
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: phpMyAdmin
Affected software:
phpMyAdmin
phpMyAdmin
Detailed vulnerability description
The vulnerability allows a remote authenticated user to gain access to sensitive information.
An issue was discovered in phpMyAdmin. A user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
How to mitigate CVE-2016-6613
Install update from vendor's website.