CVE-2016-6609 — phpmyadmin - security update

Description

An issue was discovered in phpMyAdmin. A specially crafted database name could be used to run arbitrary PHP commands through the array export feature. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

How to fix CVE-2016-6609

To remediate CVE-2016-6609, upgrade the affected package to a fixed version below.

—upgrade to 4.4.15.8-r0 or later
—upgrade to 4:4.6.4+dfsg1-1 or later
—upgrade to 4:4.2.12-2+deb8u3 or later
—upgrade to 4.6.4 or later

Is CVE-2016-6609 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 4.4.15.8-r0
from 0, < 4:4.6.4+dfsg1-1
from 0, < 4:4.2.12-2+deb8u3
>= 4.6, < 4.6.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-6609
ADVISORYsecurity.alpinelinux.org/vuln/CVE-2016-6609
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-6609
PATCHgithub.com/phpmyadmin/composer
WEB