Skip to content

SSRF in adminer

High severity GitHub Reviewed Published Feb 10, 2021 in vrana/adminer • Updated Feb 1, 2023

Package

composer vrana/adminer (Composer)

Affected versions

< 4.7.9

Patched versions

4.7.9

Description

Impact

Users of Adminer versions bundling all drivers (e.g. adminer.php) are affected.

Patches

Patched by ccd2374b, included in version 4.7.9.

Workarounds

  • Use a single driver version (e.g. adminer-mysql.php).
  • Protect access to Adminer also by other means, e.g. by HTTP password, IP address limiting or by OTP plugin.

References

https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf

For more information

If you have any questions or comments about this advisory:

  • Comment at ccd2374b.

References

@vrana vrana published to vrana/adminer Feb 10, 2021
Reviewed Feb 11, 2021
Published to the GitHub Advisory Database Feb 11, 2021
Published by the National Vulnerability Database Feb 11, 2021
Last updated Feb 1, 2023

Severity

High
7.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2021-21311

GHSA ID

GHSA-x5r2-hj5c-8jx6

Source code

No known source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.