Vulnerabilites related to Adminer - Adminer
cve-2018-7667
Vulnerability from cvelistv5
Published
2018-03-05 07:00
Modified
2024-08-05 06:31
Severity ?
EPSS score ?
Summary
Adminer through 4.3.1 has SSRF via the server parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2018/03/msg00014.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:31:05.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt"
},
{
"name": "[debian-lts-announce] 20180322 [SECURITY] [DLA 1311-1] adminer security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00014.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-03-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Adminer through 4.3.1 has SSRF via the server parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-23T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt"
},
{
"name": "[debian-lts-announce] 20180322 [SECURITY] [DLA 1311-1] adminer security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00014.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-7667",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Adminer through 4.3.1 has SSRF via the server parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt",
"refsource": "MISC",
"url": "http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt"
},
{
"name": "[debian-lts-announce] 20180322 [SECURITY] [DLA 1311-1] adminer security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00014.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-7667",
"datePublished": "2018-03-05T07:00:00",
"dateReserved": "2018-03-05T00:00:00",
"dateUpdated": "2024-08-05T06:31:05.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-43008
Vulnerability from cvelistv5
Published
2022-04-05 01:46
Modified
2024-08-04 03:47
Severity ?
EPSS score ?
Summary
Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/vrana/adminer/releases/tag/v4.6.3 | x_refsource_MISC | |
| https://www.adminer.org/ | x_refsource_MISC | |
| https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability | x_refsource_MISC | |
| https://podalirius.net/en/cves/2021-43008/ | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2022/05/msg00012.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:47:13.222Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vrana/adminer/releases/tag/v4.6.3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.adminer.org/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://podalirius.net/en/cves/2021-43008/"
},
{
"name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3002-1] adminer security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-13T18:06:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vrana/adminer/releases/tag/v4.6.3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.adminer.org/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://podalirius.net/en/cves/2021-43008/"
},
{
"name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3002-1] adminer security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00012.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43008",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/vrana/adminer/releases/tag/v4.6.3",
"refsource": "MISC",
"url": "https://github.com/vrana/adminer/releases/tag/v4.6.3"
},
{
"name": "https://www.adminer.org/",
"refsource": "MISC",
"url": "https://www.adminer.org/"
},
{
"name": "https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability",
"refsource": "MISC",
"url": "https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability"
},
{
"name": "https://podalirius.net/en/cves/2021-43008/",
"refsource": "MISC",
"url": "https://podalirius.net/en/cves/2021-43008/"
},
{
"name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3002-1] adminer security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00012.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43008",
"datePublished": "2022-04-05T01:46:09",
"dateReserved": "2021-10-25T00:00:00",
"dateUpdated": "2024-08-04T03:47:13.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29625
Vulnerability from cvelistv5
Published
2021-05-19 21:35
Modified
2024-08-03 22:11
Severity ?
EPSS score ?
Summary
Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`).
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc | x_refsource_CONFIRM | |
| https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7 | x_refsource_MISC | |
| https://sourceforge.net/p/adminer/bugs-and-features/797/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:11:06.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/p/adminer/bugs-and-features/797/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "adminer",
"vendor": "vrana",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.7.8, \u003c 4.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-19T21:35:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/p/adminer/bugs-and-features/797/"
}
],
"source": {
"advisory": "GHSA-2v82-5746-vwqc",
"discovery": "UNKNOWN"
},
"title": "XSS in doc_link",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29625",
"STATE": "PUBLIC",
"TITLE": "XSS in doc_link"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "adminer",
"version": {
"version_data": [
{
"version_value": "\u003e= 4.7.8, \u003c 4.8.1"
}
]
}
}
]
},
"vendor_name": "vrana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc",
"refsource": "CONFIRM",
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc"
},
{
"name": "https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7",
"refsource": "MISC",
"url": "https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7"
},
{
"name": "https://sourceforge.net/p/adminer/bugs-and-features/797/",
"refsource": "MISC",
"url": "https://sourceforge.net/p/adminer/bugs-and-features/797/"
}
]
},
"source": {
"advisory": "GHSA-2v82-5746-vwqc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29625",
"datePublished": "2021-05-19T21:35:11",
"dateReserved": "2021-03-30T00:00:00",
"dateUpdated": "2024-08-03T22:11:06.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45195
Vulnerability from cvelistv5
Published
2024-06-24 21:06
Modified
2024-08-02 20:14
Severity ?
EPSS score ?
Summary
Adminer and AdminerEvo are vulnerable to SSRF via database connection fields. This could allow an unauthenticated remote attacker to enumerate or access systems the attacker would not otherwise have access to. Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.4.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Adminer | Adminer |
Version: 0 < Version: cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:* cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:* cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:* |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45195",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T14:34:53.587598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T14:35:33.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.950Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/adminerevo/adminerevo/pull/102/commits/18f3167bbcbec3bc746f62db72e016aa99144efc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:*",
"cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "Adminer",
"vendor": "Adminer",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*",
"status": "affected",
"version": "cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:*",
"versionType": "cpe"
}
]
},
{
"cpes": [
"cpe:2.3:a:adminerevo:adminerevo:4.8.2:*:*:*:*:*:*:*",
"cpe:2.3:a:adminerevo:adminerevo:4.8.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "AdminerEvo",
"repo": "https://github.com/adminerevo/adminerevo",
"vendor": "AdminerEvo",
"versions": [
{
"lessThan": "4.8.4",
"status": "affected",
"version": "4.8.2",
"versionType": "custom"
},
{
"lessThan": "cpe:2.3:a:adminerevo:adminerevo:4.8.4:*:*:*:*:*:*:*",
"status": "affected",
"version": "cpe:2.3:a:adminerevo:adminerevo:0:*:*:*:*:*:*:*",
"versionType": "cpe"
}
]
}
],
"datePublic": "2024-04-07T15:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAdminer and AdminerEvo are vulnerable to SSRF via database connection fields. This could allow an unauthenticated remote attacker to enumerate or access systems the attacker would not otherwise have access to.\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eAdminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.4.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Adminer and AdminerEvo are vulnerable to SSRF via database connection fields. This could allow an unauthenticated remote attacker to enumerate or access systems the attacker would not otherwise have access to.\u00a0Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.4."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T21:06:09.735Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/adminerevo/adminerevo/pull/102/commits/18f3167bbcbec3bc746f62db72e016aa99144efc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Adminer and AdminerEvo SSRF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2023-45195",
"datePublished": "2024-06-24T21:06:09.735Z",
"dateReserved": "2023-10-05T03:54:13.664Z",
"dateUpdated": "2024-08-02T20:14:19.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45197
Vulnerability from cvelistv5
Published
2024-06-21 14:28
Modified
2024-08-02 20:14
Severity ?
EPSS score ?
Summary
The file upload plugin in Adminer and AdminerEvo allows an attacker to upload a file with a table name of “..” to the root of the Adminer directory. The attacker can effectively guess the name of the uploaded file and execute it. Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.3.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Adminer | Adminer |
Version: 0 < Version: cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:* cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:* cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:* |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45197",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-21T16:13:59.794884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T16:14:14.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/adminerevo/adminerevo/commit/1cc06d6a1005fd833fa009701badd5641627a1d4"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://github.com/adminerevo/adminerevo/releases/tag/v4.8.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:*",
"cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "Adminer",
"vendor": "Adminer",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*",
"status": "affected",
"version": "cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:*",
"versionType": "cpe"
}
]
},
{
"cpes": [
"cpe:2.3:a:adminerevo:adminerevo:4.8.2:*:*:*:*:*:*:*",
"cpe:2.3:a:adminerevo:adminerevo:4.8.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "AdminerEvo",
"programFiles": [
"plugins/file-upload.php"
],
"repo": "https://github.com/adminerevo/adminerevo",
"vendor": "AdminerEvo",
"versions": [
{
"lessThan": "4.8.3",
"status": "affected",
"version": "4.8.2",
"versionType": "custom"
},
{
"lessThan": "cpe:2.3:a:adminerevo:adminerevo:4.8.3:*:*:*:*:*:*:*",
"status": "affected",
"version": "cpe:2.3:a:adminerevo:adminerevo:0:*:*:*:*:*:*:*",
"versionType": "cpe"
}
]
}
],
"datePublic": "2023-10-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe file upload plugin in Adminer and AdminerEvo allows an attacker to upload a file with a table name of \u201c..\u201d to the root of the Adminer directory. The attacker can effectively guess the name of the uploaded file and execute it. Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.3.\u003c/p\u003e"
}
],
"value": "The file upload plugin in Adminer and AdminerEvo allows an attacker to upload a file with a table name of \u201c..\u201d to the root of the Adminer directory. The attacker can effectively guess the name of the uploaded file and execute it. Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.3."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T20:27:12.198Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/adminerevo/adminerevo/commit/1cc06d6a1005fd833fa009701badd5641627a1d4"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/adminerevo/adminerevo/releases/tag/v4.8.3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Adminer and AdminerEvo vulnerable to directory traversal and file upload",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2023-45197",
"datePublished": "2024-06-21T14:28:36.476Z",
"dateReserved": "2023-10-05T03:54:13.664Z",
"dateUpdated": "2024-08-02T20:14:19.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-35572
Vulnerability from cvelistv5
Published
2021-02-09 17:55
Modified
2024-08-04 17:09
Severity ?
EPSS score ?
Summary
Adminer through 4.7.8 allows XSS via the history parameter to the default URI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://sourceforge.net/p/adminer/news/ | x_refsource_MISC | |
| https://sourceforge.net/p/adminer/bugs-and-features/775/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:13.413Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/p/adminer/news/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/p/adminer/bugs-and-features/775/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Adminer through 4.7.8 allows XSS via the history parameter to the default URI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-09T17:55:56",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/p/adminer/news/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/p/adminer/bugs-and-features/775/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-35572",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Adminer through 4.7.8 allows XSS via the history parameter to the default URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://sourceforge.net/p/adminer/news/",
"refsource": "MISC",
"url": "https://sourceforge.net/p/adminer/news/"
},
{
"name": "https://sourceforge.net/p/adminer/bugs-and-features/775/",
"refsource": "MISC",
"url": "https://sourceforge.net/p/adminer/bugs-and-features/775/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-35572",
"datePublished": "2021-02-09T17:55:56",
"dateReserved": "2020-12-20T00:00:00",
"dateUpdated": "2024-08-04T17:09:13.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-21311
Vulnerability from cvelistv5
Published
2021-02-11 20:55
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 | x_refsource_CONFIRM | |
| https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf | x_refsource_MISC | |
| https://packagist.org/packages/vrana/adminer | x_refsource_MISC | |
| https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351 | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.132Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packagist.org/packages/vrana/adminer"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351"
},
{
"name": "[debian-lts-announce] 20210302 [SECURITY] [DLA 2580-1] adminer security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "adminer",
"vendor": "vrana",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.7.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-02T21:06:28",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packagist.org/packages/vrana/adminer"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351"
},
{
"name": "[debian-lts-announce] 20210302 [SECURITY] [DLA 2580-1] adminer security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html"
}
],
"source": {
"advisory": "GHSA-x5r2-hj5c-8jx6",
"discovery": "UNKNOWN"
},
"title": "SSRF in adminer",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21311",
"STATE": "PUBLIC",
"TITLE": "SSRF in adminer"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "adminer",
"version": {
"version_data": [
{
"version_value": "\u003e= 4.0.0, \u003c 4.7.9"
}
]
}
}
]
},
"vendor_name": "vrana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918: Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6",
"refsource": "CONFIRM",
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6"
},
{
"name": "https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf",
"refsource": "MISC",
"url": "https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf"
},
{
"name": "https://packagist.org/packages/vrana/adminer",
"refsource": "MISC",
"url": "https://packagist.org/packages/vrana/adminer"
},
{
"name": "https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351",
"refsource": "MISC",
"url": "https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351"
},
{
"name": "[debian-lts-announce] 20210302 [SECURITY] [DLA 2580-1] adminer security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html"
}
]
},
"source": {
"advisory": "GHSA-x5r2-hj5c-8jx6",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21311",
"datePublished": "2021-02-11T20:55:15",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45196
Vulnerability from cvelistv5
Published
2024-06-24 20:48
Modified
2024-08-02 20:14
Severity ?
EPSS score ?
Summary
Adminer and AdminerEvo allow an unauthenticated remote attacker to cause a denial of service by connecting to an attacker-controlled service that responds with HTTP redirects. The denial of service is subject to PHP configuration limits. Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.4.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Adminer | Adminer |
Version: 0 < Version: cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:* cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:* cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:* |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T13:20:08.611689Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T13:20:53.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:20.034Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/adminerevo/adminerevo/pull/102/commits/23e7cdc0a32b3739e13d19ae504be0fe215142b6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:*",
"cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "Adminer",
"vendor": "Adminer",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*",
"status": "affected",
"version": "cpe:2.3:a:adminer:adminer:0:*:*:*:*:*:*:*",
"versionType": "cpe"
}
]
},
{
"cpes": [
"cpe:2.3:a:adminerevo:adminerevo:4.8.2:*:*:*:*:*:*:*",
"cpe:2.3:a:adminerevo:adminerevo:4.8.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "AdminerEvo",
"repo": "https://github.com/adminerevo/adminerevo",
"vendor": "AdminerEvo",
"versions": [
{
"lessThan": "4.8.4",
"status": "affected",
"version": "4.8.2",
"versionType": "custom"
},
{
"lessThan": "cpe:2.3:a:adminerevo:adminerevo:4.8.4:*:*:*:*:*:*:*",
"status": "affected",
"version": "cpe:2.3:a:adminerevo:adminerevo:0:*:*:*:*:*:*:*",
"versionType": "cpe"
}
]
}
],
"datePublic": "2024-04-07T15:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAdminer and AdminerEvo allow an unauthenticated remote attacker to cause a denial of service by connecting to an attacker-controlled service that responds with HTTP redirects. The denial of service is subject to PHP configuration limits.\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eAdminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.4.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Adminer and AdminerEvo allow an unauthenticated remote attacker to cause a denial of service by connecting to an attacker-controlled service that responds with HTTP redirects. The denial of service is subject to PHP configuration limits.\u00a0Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.4."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T20:48:21.534Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/adminerevo/adminerevo/pull/102/commits/23e7cdc0a32b3739e13d19ae504be0fe215142b6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Adminer and AdminerEvo denial of service via HTTP redirect",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2023-45196",
"datePublished": "2024-06-24T20:48:21.534Z",
"dateReserved": "2023-10-05T03:54:13.664Z",
"dateUpdated": "2024-08-02T20:14:20.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2018-03-05 07:29
Modified
2024-11-21 04:12
Severity ?
Summary
Adminer through 4.3.1 has SSRF via the server parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt | Exploit, Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2018/03/msg00014.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2018/03/msg00014.html | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8CA03BBA-8A5A-4538-B77C-E5623A6F97FD",
"versionEndIncluding": "4.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Adminer through 4.3.1 has SSRF via the server parameter."
},
{
"lang": "es",
"value": "Adminer hasta la versi\u00f3n 4.3.1 tiene SSRF mediante el par\u00e1metro server."
}
],
"id": "CVE-2018-7667",
"lastModified": "2024-11-21T04:12:30.440",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-05T07:29:00.493",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00014.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-09 18:15
Modified
2024-11-21 05:27
Severity ?
Summary
Adminer through 4.7.8 allows XSS via the history parameter to the default URI.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://sourceforge.net/p/adminer/bugs-and-features/775/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://sourceforge.net/p/adminer/news/ | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://sourceforge.net/p/adminer/bugs-and-features/775/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://sourceforge.net/p/adminer/news/ | Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A66B65BF-2155-4E6E-8511-207B891113FF",
"versionEndIncluding": "4.7.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Adminer through 4.7.8 allows XSS via the history parameter to the default URI."
},
{
"lang": "es",
"value": "Adminer versiones hasta 4.7.8 permite un ataque de tipo XSS por medio del par\u00e1metro history en el URI predeterminado"
}
],
"id": "CVE-2020-35572",
"lastModified": "2024-11-21T05:27:36.540",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-09T18:15:44.073",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sourceforge.net/p/adminer/bugs-and-features/775/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://sourceforge.net/p/adminer/news/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sourceforge.net/p/adminer/bugs-and-features/775/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://sourceforge.net/p/adminer/news/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-05 02:15
Modified
2024-11-21 06:28
Severity ?
Summary
Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adminer | adminer | * | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D549BB34-3EDB-4FD7-8645-7D51C39B3773",
"versionEndIncluding": "4.6.2",
"versionStartIncluding": "1.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database."
},
{
"lang": "es",
"value": "Un control de acceso inapropiado en las versiones 1.12.0 a 4.6.2 de Adminer (corregido en la versi\u00f3n 4.6.3) permite a un atacante lograr una lectura arbitraria de archivos en el servidor remoto solicitando a Adminer que sea conectado a una base de datos MySQL remota"
}
],
"id": "CVE-2021-43008",
"lastModified": "2024-11-21T06:28:27.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-05T02:15:06.887",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/vrana/adminer/releases/tag/v4.6.3"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00012.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://podalirius.net/en/cves/2021-43008/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.adminer.org/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/vrana/adminer/releases/tag/v4.6.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00012.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://podalirius.net/en/cves/2021-43008/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.adminer.org/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-19 22:15
Modified
2024-11-21 06:01
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc | Patch, Third Party Advisory | |
| security-advisories@github.com | https://sourceforge.net/p/adminer/bugs-and-features/797/ | Exploit, Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://sourceforge.net/p/adminer/bugs-and-features/797/ | Exploit, Product, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "141DCC97-784C-4851-B1DC-01F41E749177",
"versionEndExcluding": "4.8.1",
"versionStartIncluding": "4.6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`)."
},
{
"lang": "es",
"value": "Adminer es un software de administraci\u00f3n de bases de datos de c\u00f3digo abierto.\u0026#xa0;Una vulnerabilidad de tipo cross-site scripting en Adminer versiones 4.6.1 hasta 4.8.0, afecta a los usuarios de MySQL, MariaDB, PgSQL y SQLite.\u0026#xa0;Un ataque de tipo XSS en la mayor\u00eda de los casos es impedido por un CSP estricto en todos los navegadores modernos.\u0026#xa0;La \u00fanica excepci\u00f3n es cuando Adminer est\u00e1 usando una extensi\u00f3n \"pdo_\" para comunicarse con la base de datos (se usa si las extensiones nativas no est\u00e1n habilitadas).\u0026#xa0;En los navegadores sin CSP, las versiones de Adminer 4.6.1 hasta 4.8.0 est\u00e1n afectadas.\u0026#xa0;La vulnerabilidad est\u00e1 parcheada en la versi\u00f3n 4.8.1.\u0026#xa0;Como soluciones alternativas, se puede usar un navegador que admita CSP estricto o habilitar las extensiones nativas de PHP (por ejemplo, \"mysqli\") o deshabilitar la visualizaci\u00f3n de errores de PHP (\"display_errors\")"
}
],
"id": "CVE-2021-29625",
"lastModified": "2024-11-21T06:01:31.290",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-19T22:15:07.903",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Product",
"Third Party Advisory"
],
"url": "https://sourceforge.net/p/adminer/bugs-and-features/797/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Product",
"Third Party Advisory"
],
"url": "https://sourceforge.net/p/adminer/bugs-and-features/797/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-11 21:15
Modified
2024-11-21 05:47
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Summary
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adminer | adminer | * | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F5E19DCC-D7A6-4325-8E91-E601C9967B8F",
"versionEndExcluding": "4.7.9",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9."
},
{
"lang": "es",
"value": "Adminer es una administraci\u00f3n de base de datos de c\u00f3digo abierto en un solo archivo PHP.\u0026#xa0;En el administrador de la versi\u00f3n 4.0.0 y antes de la 4.7.9, se presenta una vulnerabilidad de tipo server-side request forgery.\u0026#xa0;Los usuarios de las versiones Adminer que incluyen todos los controladores (por ejemplo, \"adminer.php\") est\u00e1n afectados.\u0026#xa0;Esto es corregido en la versi\u00f3n 4.7.9"
}
],
"id": "CVE-2021-21311",
"lastModified": "2024-11-21T05:47:59.810",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-11T21:15:13.820",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://packagist.org/packages/vrana/adminer"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://packagist.org/packages/vrana/adminer"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}