CVE-2021-43008

high-risk
Published 2022-04-05

Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.

Do I need to act?

!
83.5% chance of exploitation in next 30 days
EPSS score — higher than 17% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Debian Adminer

References (10)

Release Notes https://github.com/vrana/adminer/releases/tag/v4.6.3
Mailing List https://lists.debian.org/debian-lts-announce/2022/05/msg00012.html
Exploit https://podalirius.net/en/cves/2021-43008/
Exploit https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability
Product https://www.adminer.org/
Release Notes https://github.com/vrana/adminer/releases/tag/v4.6.3
Mailing List https://lists.debian.org/debian-lts-announce/2022/05/msg00012.html
Exploit https://podalirius.net/en/cves/2021-43008/
Exploit https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability
Product https://www.adminer.org/
53
/ 100
high-risk
Severity 26/34 · High
Exploitability 20/34 · Moderate
Exposure 7/34 · Low