CVE-2018-7667 – vrana/adminer

Package

Manager: composer
Name: vrana/adminer
Vulnerable Version: >=0 <4.7.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:H/SI:H/SA:L

EPSS: 0.09941 pctl0.92745

Details

vrana/adminer vulnerable to SSRF by connecting to privileged ports ### Impact All users are affected. ### Patches * Unsuccessfully patched by 0fae40fb, included in version [4.4.0](https://github.com/vrana/adminer/releases/tag/v4.4.0). * Patched by 35bfaa75, included in version [4.7.8](https://github.com/vrana/adminer/releases/tag/v4.7.8). ### Workarounds Protect access to Adminer also by other means, e.g. by HTTP password, IP address limiting or by OTP [plugin](https://www.adminer.org/plugins/). ### References * http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt * https://sourceforge.net/p/adminer/bugs-and-features/769/ * https://gusralph.info/adminer-ssrf-bypass-cve-2018-7667/ (CVE-2020-28654) ### For more information If you have any questions or comments about this advisory: * Comment at 35bfaa75.

Metadata

Created: 2021-02-11T21:20:40Z
Modified: 2023-09-21T19:57:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-43f8-p5w3-5m25/GHSA-43f8-p5w3-5m25.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-43f8-p5w3-5m25
Finding: F100
Auto approve: 1