Skip to content

SSRF on error page of Elasticsearch and ClickHouse

Moderate
vrana published GHSA-x5r2-hj5c-8jx6 Feb 10, 2021

Package

bundle with all drivers

Affected versions

4.0.0 to 4.7.8

Patched versions

4.7.9

Description

Impact

Users of Adminer versions bundling all drivers (e.g. adminer.php) are affected.

Patches

Patched by ccd2374, included in version 4.7.9.

Workarounds

  • Use a single driver version (e.g. adminer-mysql.php).
  • Protect access to Adminer also by other means, e.g. by HTTP password, IP address limiting or by OTP plugin.

References

https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2021-21311

Weaknesses

Credits