Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1taHhqLTZ2ZjgtbXd2M84AAbZ6

phpMyAdmin IPv6 and proxy server IP-based authentication rule circumvention

An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

Permalink: https://github.com/advisories/GHSA-mhxj-6vf8-mwv3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1taHhqLTZ2ZjgtbXd2M84AAbZ6
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 23 days ago

CVSS Score: 5.9
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-mhxj-6vf8-mwv3, CVE-2016-6624
References:

Blast Radius: 6.9

Affected Packages

packagist:phpmyadmin/phpmyadmin

Dependent packages: 4
Dependent repositories: 15
Downloads: 301,715 total
Affected Version Ranges: >= 4.0, < 4.0.10.17, >= 4.4, < 4.4.15.8, >= 4.6, < 4.6.4
Fixed in: 4.0.10.17, 4.4.15.8, 4.6.4
All affected versions: 4.0.0, 4.0.1-0.1, 4.0.1-0.2, 4.0.1-0.3, 4.0.1-0.4, 4.0.1-0.5, 4.0.1-0.6, 4.0.1-0.7, 4.0.1-0.8, 4.0.1-0.9
All unaffected versions: 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.7.8, 4.7.9, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.8.5, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.9.7, 4.9.8, 4.9.9, 4.9.10, 4.9.11, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.2.0, 5.2.1