Vulnerability CVE-2015-3902 - CERT Civis.Net

Vulnerability Name:

CVE-2015-3902 (CCN-103435)

Assigned:

2015-05-13

Published:

2015-05-13

Updated:

2016-12-28

Summary:

Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack the authentication of administrators for requests that modify the configuration file.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2015-3902

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2015:1191

Source: CCN
Type: SECTRACK ID: 1032404
phpMyAdmin Cross-Site Request Forgery Flaw Lets Remote Users Modify the Generated Configuration File

Source: DEBIAN
Type: UNKNOWN
DSA-3382

Source: CCN
Type: phpMyAdmin Security Advisory PMASA-2015-2
XSRF/CSRF vulnerability in phpMyAdmin setup

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php

Source: BID
Type: UNKNOWN
74657

Source: CCN
Type: BID-74657
phpMyAdmin CVE-2015-3902 Cross Site Request Forgery Vulnerability

Source: SECTRACK
Type: UNKNOWN
1032404

Source: XF
Type: UNKNOWN
phpmyadmin-cve20153902-csrf(103435)

Source: CONFIRM
Type: UNKNOWN
https://github.com/phpmyadmin/phpmyadmin/commit/ee92eb9bab8e2d546756c1d4aec81ec7c8e44b83

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-3902

Vulnerable Configuration:

Configuration 1:

cpe:/a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.0:rc2:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.0:rc3:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.4.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.4.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.5:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.6:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.7:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.8:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.9:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.5:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.6:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.7:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.8:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.0.10.9:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.3:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.4:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.5:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.7:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.7.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.9.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.10.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.11:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.12:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.13.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.13.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.3.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.3.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.3.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.3.3:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.3.4:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.3.5:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.3.6:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.3.7:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.3.8:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.3.9:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.3.10:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.3.11:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.3.12:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.3.13:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.4.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.4.1.1:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.4.3:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.4.4:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.4.5:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:phpmyadmin:phpmyadmin:4.0.10.9:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.2.13.2:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.3.13:*:*:*:*:*:*:*

OR cpe:/a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20153902	V	CVE-2015-3902	2022-06-30
oval:org.opensuse.security:def:113141	P	phpMyAdmin-4.6.5.2-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106569	P	phpMyAdmin-4.6.5.2-1.1 on GA media (Moderate)	2021-10-01
oval:org.cisecurity:def:283	P	DSA-3382-1 phpmyadmin -- security update	2016-02-08
oval:com.ubuntu.artful:def:20153902000	V	CVE-2015-3902 on Ubuntu 17.10 (artful) - medium.	2015-05-26
oval:com.ubuntu.disco:def:201539020000000	V	CVE-2015-3902 on Ubuntu 19.04 (disco) - medium.	2015-05-26
oval:com.ubuntu.trusty:def:20153902000	V	CVE-2015-3902 on Ubuntu 14.04 LTS (trusty) - medium.	2015-05-26
oval:com.ubuntu.cosmic:def:201539020000000	V	CVE-2015-3902 on Ubuntu 18.10 (cosmic) - medium.	2015-05-26
oval:com.ubuntu.bionic:def:20153902000	V	CVE-2015-3902 on Ubuntu 18.04 LTS (bionic) - medium.	2015-05-26
oval:com.ubuntu.xenial:def:20153902000	V	CVE-2015-3902 on Ubuntu 16.04 LTS (xenial) - medium.	2015-05-26
oval:com.ubuntu.bionic:def:201539020000000	V	CVE-2015-3902 on Ubuntu 18.04 LTS (bionic) - medium.	2015-05-26
oval:com.ubuntu.cosmic:def:20153902000	V	CVE-2015-3902 on Ubuntu 18.10 (cosmic) - medium.	2015-05-26
oval:com.ubuntu.xenial:def:201539020000000	V	CVE-2015-3902 on Ubuntu 16.04 LTS (xenial) - medium.	2015-05-26
oval:com.ubuntu.precise:def:20153902000	V	CVE-2015-3902 on Ubuntu 12.04 LTS (precise) - medium.	2015-05-26