Описание
Adminer through 4.3.1 has SSRF via the server parameter.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| adminer | fixed | 4.5.0-1 | package | |
| adminer | fixed | 4.2.5-3+deb9u1 | stretch | package |
| adminer | fixed | 3.3.3-1+deb8u1 | jessie | package |
Примечания
http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt
https://github.com/vrana/adminer/commit/0fae40fb611b5c8167fa2b8d40bf576a8935a380
adminer 4.4.0 disallows connecting to privileged ports, and thus not "enumerating"
services on (another) host for ports < 1024.
Additionally 4.4.0 rate-limits password-less login attempts from the same
IP address:
https://github.com/vrana/adminer/commit/0e5df34ea87ad34c1bc0ceac162eb86175d611a3
EPSS
Процентиль: 92%
0.0773
Низкий
Связанные уязвимости
CVSS3: 9.8
ubuntu
почти 8 лет назад
Adminer through 4.3.1 has SSRF via the server parameter.
github
почти 5 лет назад
vrana/adminer vulnerable to SSRF by connecting to privileged ports
EPSS
Процентиль: 92%
0.0773
Низкий