製品・ソフトウェアに関する情報

JVN脆弱性詳細

phpMyAdmin の libraries/common.inc.php におけるアクセス制限を回避される脆弱性

Title	phpMyAdmin の libraries/common.inc.php におけるアクセス制限を回避される脆弱性
Summary	phpMyAdmin の libraries/common.inc.php は、CSRF トークンの比較に定数時間 (constant-time) アルゴリズムを使用しないため、アクセス制限を回避される脆弱性が存在します。補足情報 : CWE による脆弱性タイプは、CWE-254: Security Features (セキュリティ機能) と識別されています。 http://cwe.mitre.org/data/definitions/254.html
Possible impacts	第三者により、時差を測定されることで、アクセス制限を回避される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 24, 2016, midnight
Registration Date	Feb. 25, 2016, 2:52 p.m.
Last Update	Feb. 25, 2016, 2:52 p.m.

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:P/A:N

Affected System

The phpMyAdmin Project

phpMyAdmin 4.0.10.13 未満の 4.0.x

phpMyAdmin 4.4.15.3 未満の 4.4.x

phpMyAdmin 4.5.4 未満の 4.5.x

phpMyAdmin 4.0.10.13 未満の 4.0.x

phpMyAdmin 4.4.15.3 未満の 4.4.x

phpMyAdmin 4.5.4 未満の 4.5.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-2041	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2041
2	CVE-2016-2041	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2041
National Vulnerability Database (NVD)
3	CVE-2016-2041	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2041
4	CVE-2016-2041	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2041

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-Other	https://www.ipa.go.jp/security/vuln/CWE.html#CWEOther
2	CWE-Other	https://www.ipa.go.jp/security/vuln/CWE.html#CWEOther

ベンダー情報

No	Name	URL
GitHub
1	Use hash_equals for comparing token	https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e49
2	Use hash_equals for comparing token	https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e49
SECURITY ANNOUNCEMENTS
3	PMASA-2016-5	https://www.phpmyadmin.net/security/PMASA-2016-5/
4	PMASA-2016-5	https://www.phpmyadmin.net/security/PMASA-2016-5/

Change Log

No	Changed Details	Date of change
0	[2016年02月25日] 掲載	Feb. 17, 2018, 10:37 a.m.
0	[2016年02月25日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-2041

Summary	libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences.
Publication Date	Feb. 20, 2016, 10:59 a.m.
Registration Date	Jan. 26, 2021, 2:08 p.m.
Last Update	Nov. 21, 2024, 11:47 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:22:::::::*
cpe:2.3:o:fedoraproject:fedora:23:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc2::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc3::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:opensuse:leap:42.1:::::::*
cpe:2.3:o:opensuse:opensuse:13.1:::::::*
cpe:2.3:o:opensuse:opensuse:13.2:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html	Third Party Advisory
2	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html	Third Party Advisory
3	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html	Third Party Advisory
4	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html	Third Party Advisory
5	http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html	Third Party Advisory
6	http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html	Third Party Advisory
7	http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html	Third Party Advisory
8	http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html	Third Party Advisory
9	http://www.debian.org/security/2016/dsa-3627
10	http://www.debian.org/security/2016/dsa-3627
11	http://www.phpmyadmin.net/home_page/security/PMASA-2016-5.php	Patch Vendor Advisory
12	http://www.phpmyadmin.net/home_page/security/PMASA-2016-5.php	Patch Vendor Advisory
13	https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e49	Patch
14	https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e49	Patch

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-254	セキュリティ機能	https://cwe.mitre.org/data/definitions/254.html

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.7:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.6:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc2::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.11:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.5:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.12:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.8:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc3::::::
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.2:::::::*
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:::::::*