CVE-2011-0986 — phpMyAdmin allows remote attackers to obtain installation path via direct reques

Description

phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not properly handle the absence of the (1) README, (2) ChangeLog, and (3) LICENSE files, which allows remote attackers to obtain the installation path via a direct request for a nonexistent file.

How to fix CVE-2011-0986

To remediate CVE-2011-0986, upgrade the affected package to a fixed version below.

Debian/phpmyadmin—upgrade to 4:3.3.9.2-1 or later
Packagist/phpmyadmin/phpmyadmin—upgrade to 2.11.11.2 or later

Is CVE-2011-0986 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4:3.3.9.2-1
>= 2.11.0, < 2.11.11.2

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-0986
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2011-0986
PATCHgithub.com/phpmyadmin/phpmyadmin
WEBlists.fedoraproject.org/pipermail/package-announce/2011-February/054349.html