{"id":"CVE-2016-9849","details":"An issue was discovered in phpMyAdmin. It is possible to bypass AllowRoot restriction ($cfg['Servers'][$i]['AllowRoot']) and deny rules for username by using Null Byte in the username. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.","modified":"2026-07-08T12:53:37.183643Z","published":"2016-12-11T02:59:47.083Z","related":["openSUSE-SU-2024:10054-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/06/msg00009.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/94521"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201701-32"},{"type":"FIX","url":"https://www.phpmyadmin.net/security/PMASA-2016-60"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/phpmyadmin/phpmyadmin","events":[{"introduced":"6da64cc3b2ba4439574f914f51e161645375be96"},{"last_affected":"39864227e7c33f9a6ef29890017e48164df54858"}],"database_specific":{"source":"CPE_STRING","extracted_events":[{"introduced":"4.0.0"},{"last_affected":"4.0.0"},{"introduced":"4.0.1"},{"last_affected":"4.0.1"},{"introduced":"4.0.2"},{"last_affected":"4.0.2"},{"introduced":"4.0.3"},{"last_affected":"4.0.3"},{"introduced":"4.0.4"},{"last_affected":"4.0.4"},{"introduced":"4.0.4.1"},{"last_affected":"4.0.4.1"},{"introduced":"4.0.4.2"},{"last_affected":"4.0.4.2"},{"introduced":"4.0.5"},{"last_affected":"4.0.5"},{"introduced":"4.0.6"},{"last_affected":"4.0.6"},{"introduced":"4.0.7"},{"last_affected":"4.0.7"},{"introduced":"4.0.8"},{"last_affected":"4.0.8"},{"introduced":"4.0.9"},{"last_affected":"4.0.9"},{"introduced":"4.0.10"},{"last_affected":"4.0.10"},{"introduced":"4.0.10.1"},{"last_affected":"4.0.10.1"},{"introduced":"4.0.10.2"},{"last_affected":"4.0.10.2"},{"introduced":"4.0.10.3"},{"last_affected":"4.0.10.3"},{"introduced":"4.0.10.4"},{"last_affected":"4.0.10.4"},{"introduced":"4.0.10.5"},{"last_affected":"4.0.10.5"},{"introduced":"4.0.10.6"},{"last_affected":"4.0.10.6"},{"introduced":"4.0.10.7"},{"last_affected":"4.0.10.7"},{"introduced":"4.0.10.8"},{"last_affected":"4.0.10.8"},{"introduced":"4.0.10.9"},{"last_affected":"4.0.10.9"},{"introduced":"4.0.10.10"},{"last_affected":"4.0.10.10"},{"introduced":"4.0.10.11"},{"last_affected":"4.0.10.11"},{"introduced":"4.0.10.12"},{"last_affected":"4.0.10.12"},{"introduced":"4.0.10.13"},{"last_affected":"4.0.10.13"},{"introduced":"4.0.10.14"},{"last_affected":"4.0.10.14"},{"introduced":"4.0.10.15"},{"last_affected":"4.0.10.15"},{"introduced":"4.0.10.16"},{"last_affected":"4.0.10.16"},{"introduced":"4.0.10.17"},{"last_affected":"4.0.10.17"},{"introduced":"4.6.0"},{"last_affected":"4.6.0"},{"introduced":"4.6.1"},{"last_affected":"4.6.1"},{"introduced":"4.6.2"},{"last_affected":"4.6.2"},{"introduced":"4.6.3"},{"last_affected":"4.6.3"},{"introduced":"4.6.4"},{"last_affected":"4.6.4"},{"introduced":"4.4.0"},{"last_affected":"4.4.0"},{"introduced":"4.4.1"},{"last_affected":"4.4.1"},{"introduced":"4.4.1.1"},{"last_affected":"4.4.1.1"},{"introduced":"4.4.2"},{"last_affected":"4.4.2"},{"introduced":"4.4.3"},{"last_affected":"4.4.3"},{"introduced":"4.4.4"},{"last_affected":"4.4.4"},{"introduced":"4.4.5"},{"last_affected":"4.4.5"},{"introduced":"4.4.6"},{"last_affected":"4.4.6"},{"introduced":"4.4.6.1"},{"last_affected":"4.4.6.1"},{"introduced":"4.4.7"},{"last_affected":"4.4.7"},{"introduced":"4.4.8"},{"last_affected":"4.4.8"},{"introduced":"4.4.9"},{"last_affected":"4.4.9"},{"introduced":"4.4.10"},{"last_affected":"4.4.10"},{"introduced":"4.4.11"},{"last_affected":"4.4.11"},{"introduced":"4.4.12"},{"last_affected":"4.4.12"},{"introduced":"4.4.13"},{"last_affected":"4.4.13"},{"introduced":"4.4.13.1"},{"last_affected":"4.4.13.1"},{"introduced":"4.4.14"},{"last_affected":"4.4.14"},{"introduced":"4.4.14.1"},{"last_affected":"4.4.14.1"},{"introduced":"4.4.15"},{"last_affected":"4.4.15"},{"introduced":"4.4.15.1"},{"last_affected":"4.4.15.1"},{"introduced":"4.4.15.2"},{"last_affected":"4.4.15.2"},{"introduced":"4.4.15.3"},{"last_affected":"4.4.15.3"},{"introduced":"4.4.15.4"},{"last_affected":"4.4.15.4"},{"introduced":"4.4.15.5"},{"last_affected":"4.4.15.5"},{"introduced":"4.4.15.6"},{"last_affected":"4.4.15.6"},{"introduced":"4.4.15.7"},{"last_affected":"4.4.15.7"},{"introduced":"4.4.15.8"},{"last_affected":"4.4.15.8"}],"cpe":["cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.2:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.5:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.6:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.7:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.8:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.9:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.2:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.3:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.4:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.5:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.6:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.7:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.8:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.10:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.11:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.12:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.13:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.14:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.15:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.16:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.17:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.1:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.2:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.3:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.4:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.5:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.6:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.7:*:*:*:*:*:*:*","cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.8:*:*:*:*:*:*:*"]}}],"versions":["4.0.0","4.0.1","4.0.10","4.0.10.1","4.0.10.10","4.0.10.11","4.0.10.12","4.0.10.13","4.0.10.14","4.0.10.15","4.0.10.16","4.0.10.17","4.0.10.2","4.0.10.3","4.0.10.4","4.0.10.5","4.0.10.6","4.0.10.7","4.0.10.8","4.0.10.9","4.0.2","4.0.3","4.0.4","4.0.4.1","4.0.4.2","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","4.4.0","4.4.1","4.4.1.1","4.4.10","4.4.11","4.4.12","4.4.13","4.4.13.1","4.4.14","4.4.14.1","4.4.15","4.4.15.1","4.4.15.2","4.4.15.3","4.4.15.4","4.4.15.5","4.4.15.6","4.4.15.7","4.4.15.8","4.4.2","4.4.3","4.4.4","4.4.5","4.4.6","4.4.6.1","4.4.7","4.4.8","4.4.9","4.6.0","4.6.1","4.6.2","4.6.3","4.6.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9849.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}