CVE-2015-2206: Infoleak
First published: Mon Mar 09 2015(Updated: )
libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fedora | =20 | |
| Fedora | =21 | |
| Fedora | =22 | |
| PhpMyAdmin | =4.0.0 | |
| PhpMyAdmin | =4.0.0-rc2 | |
| PhpMyAdmin | =4.0.0-rc3 | |
| PhpMyAdmin | =4.0.1 | |
| PhpMyAdmin | =4.0.2 | |
| PhpMyAdmin | =4.0.3 | |
| PhpMyAdmin | =4.0.4 | |
| PhpMyAdmin | =4.0.4.1 | |
| PhpMyAdmin | =4.0.4.2 | |
| PhpMyAdmin | =4.0.5 | |
| PhpMyAdmin | =4.0.6 | |
| PhpMyAdmin | =4.0.7 | |
| PhpMyAdmin | =4.0.8 | |
| PhpMyAdmin | =4.0.9 | |
| PhpMyAdmin | =4.0.10 | |
| PhpMyAdmin | =4.0.10.1 | |
| PhpMyAdmin | =4.0.10.2 | |
| PhpMyAdmin | =4.0.10.3 | |
| PhpMyAdmin | =4.0.10.4 | |
| PhpMyAdmin | =4.0.10.5 | |
| PhpMyAdmin | =4.0.10.6 | |
| PhpMyAdmin | =4.0.10.7 | |
| PhpMyAdmin | =4.0.10.8 | |
| PhpMyAdmin | =4.2.0 | |
| PhpMyAdmin | =4.2.1 | |
| PhpMyAdmin | =4.2.2 | |
| PhpMyAdmin | =4.2.3 | |
| PhpMyAdmin | =4.2.4 | |
| PhpMyAdmin | =4.2.5 | |
| PhpMyAdmin | =4.2.6 | |
| PhpMyAdmin | =4.2.7 | |
| PhpMyAdmin | =4.2.7.1 | |
| PhpMyAdmin | =4.2.8 | |
| PhpMyAdmin | =4.2.8.1 | |
| PhpMyAdmin | =4.2.9 | |
| PhpMyAdmin | =4.2.9.1 | |
| PhpMyAdmin | =4.2.10 | |
| PhpMyAdmin | =4.2.10.1 | |
| PhpMyAdmin | =4.2.11 | |
| PhpMyAdmin | =4.2.12 | |
| PhpMyAdmin | =4.2.13 | |
| PhpMyAdmin | =4.2.13.1 | |
| PhpMyAdmin | =4.3.0 | |
| PhpMyAdmin | =4.3.1 | |
| PhpMyAdmin | =4.3.2 | |
| PhpMyAdmin | =4.3.3 | |
| PhpMyAdmin | =4.3.4 | |
| PhpMyAdmin | =4.3.5 | |
| PhpMyAdmin | =4.3.6 | |
| PhpMyAdmin | =4.3.7 | |
| PhpMyAdmin | =4.3.8 | |
| PhpMyAdmin | =4.3.9 | |
| PhpMyAdmin | =4.3.10 | |
| PhpMyAdmin | =4.3.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151331.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151914.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151931.html
- http://lists.opensuse.org/opensuse-updates/2015-07/msg00008.html
- http://www.debian.org/security/2015/dsa-3382
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:186
- http://www.phpmyadmin.net/home_page/security/PMASA-2015-1.php
- http://www.securityfocus.com/bid/72949
- http://www.securitytracker.com/id/1031871
- https://github.com/phpmyadmin/phpmyadmin/commit/b2f1e895038a5700bf8e81fb9a5da36cbdea0eeb
Frequently Asked Questions
What is the severity of CVE-2015-2206?
CVE-2015-2206 is considered a moderate severity vulnerability due to its potential for exploitation via CSRF attacks.
How do I fix CVE-2015-2206?
To mitigate CVE-2015-2206, upgrade phpMyAdmin to version 4.0.10.9 or later, 4.2.13.2 or later, or 4.3.11.1 or later.
What are the affected versions in CVE-2015-2206?
CVE-2015-2206 affects phpMyAdmin versions prior to 4.0.10.9, 4.2.13.2, and 4.3.11.1, as well as Fedora versions 20, 21, and 22.
What type of attack does CVE-2015-2206 facilitate?
CVE-2015-2206 facilitates Cross-Site Request Forgery (CSRF) attacks, allowing remote attackers to exploit the vulnerability.
Is CVE-2015-2206 a client-side or server-side vulnerability?
CVE-2015-2206 is a server-side vulnerability as it affects the processing of language values within the phpMyAdmin application.
- agent/references
- agent/weakness
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/severity
- agent/event
- agent/description
- agent/first-publish-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/fedoraproject
- canonical/fedora
- version/fedora/20
- version/fedora/21
- version/fedora/22
- vendor/phpmyadmin
- canonical/phpmyadmin
- version/phpmyadmin/4.0.0
- version/phpmyadmin/4.0.0-rc2
- version/phpmyadmin/4.0.0-rc3
- version/phpmyadmin/4.0.1
- version/phpmyadmin/4.0.2
- version/phpmyadmin/4.0.3
- version/phpmyadmin/4.0.4
- version/phpmyadmin/4.0.4.1
- version/phpmyadmin/4.0.4.2
- version/phpmyadmin/4.0.5
- version/phpmyadmin/4.0.6
- version/phpmyadmin/4.0.7
- version/phpmyadmin/4.0.8
- version/phpmyadmin/4.0.9
- version/phpmyadmin/4.0.10
- version/phpmyadmin/4.0.10.1
- version/phpmyadmin/4.0.10.2
- version/phpmyadmin/4.0.10.3
- version/phpmyadmin/4.0.10.4
- version/phpmyadmin/4.0.10.5
- version/phpmyadmin/4.0.10.6
- version/phpmyadmin/4.0.10.7
- version/phpmyadmin/4.0.10.8
- version/phpmyadmin/4.2.0
- version/phpmyadmin/4.2.1
- version/phpmyadmin/4.2.2
- version/phpmyadmin/4.2.3
- version/phpmyadmin/4.2.4
- version/phpmyadmin/4.2.5
- version/phpmyadmin/4.2.6
- version/phpmyadmin/4.2.7
- version/phpmyadmin/4.2.7.1
- version/phpmyadmin/4.2.8
- version/phpmyadmin/4.2.8.1
- version/phpmyadmin/4.2.9
- version/phpmyadmin/4.2.9.1
- version/phpmyadmin/4.2.10
- version/phpmyadmin/4.2.10.1
- version/phpmyadmin/4.2.11
- version/phpmyadmin/4.2.12
- version/phpmyadmin/4.2.13
- version/phpmyadmin/4.2.13.1
- version/phpmyadmin/4.3.0
- version/phpmyadmin/4.3.1
- version/phpmyadmin/4.3.2
- version/phpmyadmin/4.3.3
- version/phpmyadmin/4.3.4
- version/phpmyadmin/4.3.5
- version/phpmyadmin/4.3.6
- version/phpmyadmin/4.3.7
- version/phpmyadmin/4.3.8
- version/phpmyadmin/4.3.9
- version/phpmyadmin/4.3.10
- version/phpmyadmin/4.3.11