CVE-2021-43008
published 2022-04-05CVE-2021-43008: Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by…
PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
13.64%
96.0th percentile
Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adminer | adminer | >= 0 < 4.6.3-1 | 4.6.3-1 |
| adminer | adminer | >= 0 < 4.6.3-1 | 4.6.3-1 |
| adminer | adminer | >= 0 < 4.6.3-1 | 4.6.3-1 |
| adminer | adminer | >= 0 < 4.6.3-1 | 4.6.3-1 |
| adminer | adminer | 1.12.0 – 4.6.2 | — |
| debian | adminer | < adminer 4.6.3-1 (bookworm) | adminer 4.6.3-1 (bookworm) |
| debian | debian_linux | — | — |
| vrana | adminer | >= 1.12.0 < 4.6.3 | 4.6.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Adminer versions 1.12.0 through 4.6.2 are vulnerable; detect use of these versions in your environment as they allow arbitrary file read via a rogue remote MySQL database connection ↗
- →Monitor for outbound MySQL connections (port 3306) initiated FROM the Adminer web application server to external/untrusted IP addresses, which is the attack vector for this file-read exploit ↗
- →Public exploits are available for this vulnerability; treat any exploitation attempt as high-severity given low attack complexity and no authentication required ↗
- →Successful exploitation can result in database credential theft; monitor for unexpected access to database configuration files on servers running vulnerable Adminer versions ↗
- ·Only the Windows installation of Advantech R-SeeNet is affected by this CVE via its bundled Adminer component; Linux installations are not affected ↗
- ·The vulnerability is scoped as 'local' impact in Debian's tracker, which may affect risk scoring in some environments ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Adminer in Industrial Products
cisa_ics·2022-05-10·CVSS 7.5
[HIGH] Adminer in Industrial Products
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Adminer in Industrial Products
Last RevisedMay 10, 2022
Alert CodeICSA-22-130-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Adminer
- Equipment: Adminer
- Vulnerability: Files or Directories Accessible to External Parties
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow reading of database credentials and loss of sensitive information.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Adminer, a database management tool, are
Debian
CVE-2021-43008: adminer - Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4....
vendor_debian·2021·CVSS 7.5
CVE-2021-43008 [HIGH] CVE-2021-43008: adminer - Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4....
Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
Scope: local
bookworm: resolved (fixed in 4.6.3-1)
bullseye: resolved (fixed in 4.6.3-1)
forky: resolved (fixed in 4.6.3-1)
sid: resolved (fixed in 4.6.3-1)
trixie: resolved (fixed in 4.6.3-1)
GHSA
Files or Directories Accessible to External Parties in Adminer
ghsa·2022-04-06
CVE-2021-43008 [HIGH] CWE-552 Files or Directories Accessible to External Parties in Adminer
Files or Directories Accessible to External Parties in Adminer
Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
OSV
Files or Directories Accessible to External Parties in Adminer
osv·2022-04-06
CVE-2021-43008 [HIGH] Files or Directories Accessible to External Parties in Adminer
Files or Directories Accessible to External Parties in Adminer
Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
OSV
CVE-2021-43008: Improper Access Control in Adminer versions 1
osv·2022-04-05·CVSS 7.5
CVE-2021-43008 [HIGH] CVE-2021-43008: Improper Access Control in Adminer versions 1
Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/vrana/adminer/releases/tag/v4.6.3https://lists.debian.org/debian-lts-announce/2022/05/msg00012.htmlhttps://podalirius.net/en/cves/2021-43008/https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerabilityhttps://www.adminer.org/https://github.com/vrana/adminer/releases/tag/v4.6.3https://lists.debian.org/debian-lts-announce/2022/05/msg00012.htmlhttps://podalirius.net/en/cves/2021-43008/https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerabilityhttps://www.adminer.org/
2022-04-05
Published