Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQzZjgtcDV3My01bTI1
vrana/adminer vulnerable to SSRF by connecting to privileged ports
Impact
All users are affected.
Patches
- Unsuccessfully patched by 0fae40fb, included in version 4.4.0.
- Patched by 35bfaa75, included in version 4.7.8.
Workarounds
Protect access to Adminer also by other means, e.g. by HTTP password, IP address limiting or by OTP plugin.
References
- http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt
- https://sourceforge.net/p/adminer/bugs-and-features/769/
- https://gusralph.info/adminer-ssrf-bypass-cve-2018-7667/ (CVE-2020-28654)
For more information
If you have any questions or comments about this advisory:
- Comment at 35bfaa75.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQzZjgtcDV3My01bTI1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: 8 months ago
Identifiers: GHSA-43f8-p5w3-5m25, CVE-2018-7667
References:
- https://github.com/vrana/adminer/security/advisories/GHSA-43f8-p5w3-5m25
- https://sourceforge.net/p/adminer/bugs-and-features/769/
- http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt
- https://gusralph.info/adminer-ssrf-bypass-cve-2018-7667
- https://github.com/vrana/adminer/commit/35bfaa75
- https://github.com/advisories/GHSA-43f8-p5w3-5m25
Blast Radius: 0.0
Affected Packages
packagist:vrana/adminer
Dependent packages: 13Dependent repositories: 94
Downloads: 2,477,986 total
Affected Version Ranges: < 4.7.8
Fixed in: 4.7.8
All affected versions: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3.0, 4.3.1, 4.4.0, 4.5.0, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7
All unaffected versions: 4.7.8, 4.7.9, 4.8.0, 4.8.1