Описание
vrana/adminer vulnerable to SSRF by connecting to privileged ports
Impact
All users are affected.
Patches
- Unsuccessfully patched by 0fae40fb, included in version 4.4.0.
- Patched by 35bfaa75, included in version 4.7.8.
Workarounds
Protect access to Adminer also by other means, e.g. by HTTP password, IP address limiting or by OTP plugin.
References
- http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt
- https://sourceforge.net/p/adminer/bugs-and-features/769/
- https://gusralph.info/adminer-ssrf-bypass-cve-2018-7667/ (CVE-2020-28654)
For more information
If you have any questions or comments about this advisory:
- Comment at 35bfaa75.
Ссылки
- https://github.com/vrana/adminer/security/advisories/GHSA-43f8-p5w3-5m25
- https://github.com/vrana/adminer/commit/35bfaa75
- https://gusralph.info/adminer-ssrf-bypass-cve-2018-7667
- https://sourceforge.net/p/adminer/bugs-and-features/769
- http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt
Пакеты
Наименование
vrana/adminer
composer
Затронутые версииВерсия исправления
< 4.7.8
4.7.8
Связанные уязвимости
CVSS3: 9.8
ubuntu
почти 8 лет назад
Adminer through 4.3.1 has SSRF via the server parameter.
CVSS3: 9.8
debian
почти 8 лет назад
Adminer through 4.3.1 has SSRF via the server parameter.
