==================================================================== CERT-Renater Note d'Information No. 2015/VULN183 _____________________________________________________________________ DATE : 09/09/2015 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running phpMyAdmin versions 4.3.x, 4.4.x prior to 4.3.13.2, 4.4.14.1. ====================================================================== https://www.phpmyadmin.net/security/PMASA-2015-4/ ______________________________________________________________________ PMASA-2015-4 Announcement-ID: PMASA-2015-4 Date: 2015-09-08 Summary Vulnerability that allows bypassing the reCaptcha test Description This vulnerability allows to complete the reCaptcha test and subsequently perform a brute force attack to guess user credentials without having to complete further reCaptcha tests. Severity We consider this vulnerability to be non critical since reCaptcha is an additional opt-in security measure. Mitigation factor This vulnerability only affect installations with reCaptcha test enabled. Affected Versions Versions 4.3.x (prior to 4.3.13.2) and 4.4.x (prior to 4.4.14.1) are affected. Solution Upgrade to phpMyAdmin 4.3.13.2 or newer, or 4.4.14.1 or newer or apply patch listed below. References Assigned CVE ids: CVE-2015-6830 CWE ids: CWE-661 CWE-307 Patches The following commits have been made on the 4.3 branch to fix this issue: 0314e67900f01410bc8c81c58a40dc0515e3c91d The following commits have been made on the 4.4 branch to fix this issue: 785f4e2711848eb8945894199d5870253a88584e More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================