CVE-2016-6609: Command Injection
First published: Sun Dec 11 2016(Updated: )
An issue was discovered in phpMyAdmin. A specially crafted database name could be used to run arbitrary PHP commands through the array export feature. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/phpmyadmin/phpmyadmin | >=4.0<4.0.10.17 | 4.0.10.17 |
| composer/phpmyadmin/phpmyadmin | >=4.4<4.4.15.8 | 4.4.15.8 |
| composer/phpmyadmin/phpmyadmin | >=4.6<4.6.4 | 4.6.4 |
| PhpMyAdmin | =4.4.0 | |
| PhpMyAdmin | =4.4.1 | |
| PhpMyAdmin | =4.4.1.1 | |
| PhpMyAdmin | =4.4.2 | |
| PhpMyAdmin | =4.4.3 | |
| PhpMyAdmin | =4.4.4 | |
| PhpMyAdmin | =4.4.5 | |
| PhpMyAdmin | =4.4.6 | |
| PhpMyAdmin | =4.4.6.1 | |
| PhpMyAdmin | =4.4.7 | |
| PhpMyAdmin | =4.4.8 | |
| PhpMyAdmin | =4.4.9 | |
| PhpMyAdmin | =4.4.10 | |
| PhpMyAdmin | =4.4.11 | |
| PhpMyAdmin | =4.4.12 | |
| PhpMyAdmin | =4.4.13 | |
| PhpMyAdmin | =4.4.13.1 | |
| PhpMyAdmin | =4.4.14 | |
| PhpMyAdmin | =4.4.14.1 | |
| PhpMyAdmin | =4.4.15 | |
| PhpMyAdmin | =4.4.15.1 | |
| PhpMyAdmin | =4.4.15.2 | |
| PhpMyAdmin | =4.4.15.3 | |
| PhpMyAdmin | =4.4.15.4 | |
| PhpMyAdmin | =4.4.15.5 | |
| PhpMyAdmin | =4.4.15.6 | |
| PhpMyAdmin | =4.4.15.7 | |
| PhpMyAdmin | =4.0.0 | |
| PhpMyAdmin | =4.0.1 | |
| PhpMyAdmin | =4.0.2 | |
| PhpMyAdmin | =4.0.3 | |
| PhpMyAdmin | =4.0.4 | |
| PhpMyAdmin | =4.0.4.1 | |
| PhpMyAdmin | =4.0.4.2 | |
| PhpMyAdmin | =4.0.5 | |
| PhpMyAdmin | =4.0.6 | |
| PhpMyAdmin | =4.0.7 | |
| PhpMyAdmin | =4.0.8 | |
| PhpMyAdmin | =4.0.9 | |
| PhpMyAdmin | =4.0.10 | |
| PhpMyAdmin | =4.0.10.1 | |
| PhpMyAdmin | =4.0.10.2 | |
| PhpMyAdmin | =4.0.10.3 | |
| PhpMyAdmin | =4.0.10.4 | |
| PhpMyAdmin | =4.0.10.5 | |
| PhpMyAdmin | =4.0.10.6 | |
| PhpMyAdmin | =4.0.10.7 | |
| PhpMyAdmin | =4.0.10.8 | |
| PhpMyAdmin | =4.0.10.9 | |
| PhpMyAdmin | =4.0.10.10 | |
| PhpMyAdmin | =4.0.10.11 | |
| PhpMyAdmin | =4.0.10.12 | |
| PhpMyAdmin | =4.0.10.13 | |
| PhpMyAdmin | =4.0.10.14 | |
| PhpMyAdmin | =4.0.10.15 | |
| PhpMyAdmin | =4.0.10.16 | |
| PhpMyAdmin | =4.6.0 | |
| PhpMyAdmin | =4.6.1 | |
| PhpMyAdmin | =4.6.2 | |
| PhpMyAdmin | =4.6.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/94112
- https://lists.debian.org/debian-lts-announce/2018/07/msg00006.html
- https://security.gentoo.org/glsa/201701-32
- https://www.phpmyadmin.net/security/PMASA-2016-32
- https://nvd.nist.gov/vuln/detail/CVE-2016-6609
- https://github.com/advisories/GHSA-wpww-hx7x-xfjh (Advisory)
Frequently Asked Questions
What is the severity of CVE-2016-6609?
CVE-2016-6609 has a high severity rating due to its potential for remote code execution through arbitrary PHP commands.
How do I fix CVE-2016-6609?
To fix CVE-2016-6609, upgrade phpMyAdmin to version 4.0.10.17, 4.4.15.8, or 4.6.4 or later.
Which versions of phpMyAdmin are affected by CVE-2016-6609?
Affected versions include all 4.6.x prior to 4.6.4, 4.4.x prior to 4.4.15.8, and 4.0.x prior to 4.0.10.17.
How can CVE-2016-6609 be exploited?
CVE-2016-6609 can be exploited by using a specially crafted database name that executes arbitrary PHP commands via the array export feature.
What should I do if I cannot upgrade in time due to CVE-2016-6609?
If immediate upgrade is not possible, consider implementing access controls to restrict use of phpMyAdmin while mitigating the risk.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-wpww-hx7x-xfjh
- alias/CVE-2016-6609
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/remedy
- agent/references
- agent/description
- agent/author
- agent/softwarecombine
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/phpmyadmin
- canonical/phpmyadmin
- version/phpmyadmin/4.4.0
- version/phpmyadmin/4.4.1
- version/phpmyadmin/4.4.1.1
- version/phpmyadmin/4.4.2
- version/phpmyadmin/4.4.3
- version/phpmyadmin/4.4.4
- version/phpmyadmin/4.4.5
- version/phpmyadmin/4.4.6
- version/phpmyadmin/4.4.6.1
- version/phpmyadmin/4.4.7
- version/phpmyadmin/4.4.8
- version/phpmyadmin/4.4.9
- version/phpmyadmin/4.4.10
- version/phpmyadmin/4.4.11
- version/phpmyadmin/4.4.12
- version/phpmyadmin/4.4.13
- version/phpmyadmin/4.4.13.1
- version/phpmyadmin/4.4.14
- version/phpmyadmin/4.4.14.1
- version/phpmyadmin/4.4.15
- version/phpmyadmin/4.4.15.1
- version/phpmyadmin/4.4.15.2
- version/phpmyadmin/4.4.15.3
- version/phpmyadmin/4.4.15.4
- version/phpmyadmin/4.4.15.5
- version/phpmyadmin/4.4.15.6
- version/phpmyadmin/4.4.15.7
- version/phpmyadmin/4.0.0
- version/phpmyadmin/4.0.1
- version/phpmyadmin/4.0.2
- version/phpmyadmin/4.0.3
- version/phpmyadmin/4.0.4
- version/phpmyadmin/4.0.4.1
- version/phpmyadmin/4.0.4.2
- version/phpmyadmin/4.0.5
- version/phpmyadmin/4.0.6
- version/phpmyadmin/4.0.7
- version/phpmyadmin/4.0.8
- version/phpmyadmin/4.0.9
- version/phpmyadmin/4.0.10
- version/phpmyadmin/4.0.10.1
- version/phpmyadmin/4.0.10.2
- version/phpmyadmin/4.0.10.3
- version/phpmyadmin/4.0.10.4
- version/phpmyadmin/4.0.10.5
- version/phpmyadmin/4.0.10.6
- version/phpmyadmin/4.0.10.7
- version/phpmyadmin/4.0.10.8
- version/phpmyadmin/4.0.10.9
- version/phpmyadmin/4.0.10.10
- version/phpmyadmin/4.0.10.11
- version/phpmyadmin/4.0.10.12
- version/phpmyadmin/4.0.10.13
- version/phpmyadmin/4.0.10.14
- version/phpmyadmin/4.0.10.15
- version/phpmyadmin/4.0.10.16
- version/phpmyadmin/4.6.0
- version/phpmyadmin/4.6.1
- version/phpmyadmin/4.6.2
- version/phpmyadmin/4.6.3