SSRF on error page of Elasticsearch and ClickHouse

Moderate

vrana published GHSA-x5r2-hj5c-8jx6

Feb 10, 2021

Package

bundle with all drivers

Affected versions

4.0.0 to 4.7.8

Patched versions

4.7.9

Description

Impact

Users of Adminer versions bundling all drivers (e.g. adminer.php) are affected.

Patches

Patched by ccd2374, included in version 4.7.9.

Workarounds

Use a single driver version (e.g. adminer-mysql.php).
Protect access to Adminer also by other means, e.g. by HTTP password, IP address limiting or by OTP plugin.

References

https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf

For more information

If you have any questions or comments about this advisory:

Comment at ccd2374.