CVE-2016-9853: Exposure of Sensitive Information to an Unauthorized Actor

May 17, 2022 (updated July 31, 2023)

An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the fopen wrapper issue.

References

github.com/advisories/GHSA-rmmf-5xhh-gg27
nvd.nist.gov/vuln/detail/CVE-2016-9853
security.gentoo.org/glsa/201701-32
web.archive.org/web/20210127193655/http://www.securityfocus.com/bid/94527
www.phpmyadmin.net/security/PMASA-2016-63

Code Behaviors & Features

Detect and mitigate CVE-2016-9853 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →