CVE-2016-6624

NameCVE-2016-6624
DescriptionAn issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1821-1, DLA-626-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpmyadmin (PTS)stretch4:4.6.6-4+deb9u1fixed
stretch (security)4:4.6.6-4+deb9u2fixed
bullseye4:5.0.4+dfsg2-2fixed
bookworm, sid4:5.1.1+dfsg1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpmyadminsourcewheezy4:3.4.11.1-2+deb7u6DLA-626-1
phpmyadminsourcejessie4:4.2.12-2+deb8u6DLA-1821-1
phpmyadminsource(unstable)4:4.6.4+dfsg1-1

Notes

https://www.phpmyadmin.net/security/PMASA-2016-47/

Search for package or bug name: Reporting problems