Bug 1182156 (CVE-2021-21311) - VUL-0: CVE-2021-21311: adminer: server-side request forgery vulnerability
Summary: VUL-0: CVE-2021-21311: adminer: server-side request forgery vulnerability
Status: RESOLVED FIXED
Alias: CVE-2021-21311
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem (show other bugs)
Version: Leap 15.2
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Jimmy Berry
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/277850/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-12 08:01 UTC by Alexander Bergmann
Modified: 2021-02-17 01:59 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-02-12 08:01:11 UTC 
CVE-2021-21311

Adminer is an open-source database management in a single PHP file. In adminer
from version 4.0.0 and before 4.7.9 there is a server-side request forgery
vulnerability. Users of Adminer versions bundling all drivers (e.g.
`adminer.php`) are affected. This is fixed in version 4.7.9.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21311
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21311
https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351
https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf
https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6
https://packagist.org/packages/vrana/adminer
Comment 1 Jimmy Berry 2021-02-12 19:16:34 UTC 
https://build.opensuse.org/request/show/871524
Comment 2 Jimmy Berry 2021-02-12 19:19:32 UTC 
Also tried to update 15.3, but managed https://build.opensuse.org/request/show/871525. I did `osc sr openSUSE:Factory adminer openSUSE:Leap:15.3` so presumably that is desired?
Comment 3 Jimmy Berry 2021-02-17 01:59:57 UTC 
SR accepted