Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yeGZxLTN2cGMtdnY3Ms046w
Files or Directories Accessible to External Parties in Adminer
Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
Permalink: https://github.com/advisories/GHSA-rxfq-3vpc-vv72JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yeGZxLTN2cGMtdnY3Ms046w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-rxfq-3vpc-vv72, CVE-2021-43008
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-43008
- https://github.com/vrana/adminer/releases/tag/v4.6.3
- https://podalirius.net/en/cves/2021-43008/
- https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability
- https://www.adminer.org/
- https://lists.debian.org/debian-lts-announce/2022/05/msg00012.html
- https://github.com/advisories/GHSA-rxfq-3vpc-vv72
Blast Radius: 14.8
Affected Packages
packagist:vrana/adminer
Dependent packages: 13Dependent repositories: 94
Downloads: 2,477,986 total
Affected Version Ranges: >= 1.12.0, < 4.6.3
Fixed in: 4.6.3
All affected versions: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3.0, 4.3.1, 4.4.0, 4.5.0, 4.6.0, 4.6.1, 4.6.2
All unaffected versions: 4.6.3, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.7.8, 4.7.9, 4.8.0, 4.8.1