Skip to content

vrana/adminer vulnerable to SSRF by connecting to privileged ports

Moderate severity GitHub Reviewed Published Feb 10, 2021 in vrana/adminer • Updated Sep 21, 2023

Package

composer vrana/adminer (Composer)

Affected versions

< 4.7.8

Patched versions

4.7.8

Description

Impact

All users are affected.

Patches

  • Unsuccessfully patched by 0fae40fb, included in version 4.4.0.
  • Patched by 35bfaa75, included in version 4.7.8.

Workarounds

Protect access to Adminer also by other means, e.g. by HTTP password, IP address limiting or by OTP plugin.

References

For more information

If you have any questions or comments about this advisory:

  • Comment at 35bfaa75.

References

@vrana vrana published to vrana/adminer Feb 10, 2021
Reviewed Feb 11, 2021
Published to the GitHub Advisory Database Feb 11, 2021
Last updated Sep 21, 2023

Severity

Moderate

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(93rd percentile)

Weaknesses

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

CVE ID

CVE-2018-7667

GHSA ID

GHSA-43f8-p5w3-5m25

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.