The phpMyAdmin team reports:
Summary
Bypass $cfg['Servers'][$i]['AllowNoPassword']
Description
A vulnerability was discovered where the restrictions
caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are
bypassed under certain PHP versions. This can allow the
login of users who have no password set even if the
administrator has set $cfg['Servers'][$i]['AllowNoPassword']
to false (which is also the default).
This behavior depends on the PHP version used (it seems
PHP 5 is affected, while PHP 7.0 is not).
Severity
We consider this vulnerability to be of moderate severity.
Mitigation factor
Set a password for all users.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center