CVE-2021-21311 – CVE-2021-21311 is a server-side request forgery... (How to Fix)

Q: What is the severity of CVE-2021-21311?

CVE-2021-21311 has a CVSS score of 7.2 (HIGH). CVE-2021-21311 is a server-side request forgery (SSRF) vulnerability in Adminer database management software that allows attackers to make unauthorized requests from the vulnerable server to internal systems. Users of Adminer versions 4.0.0 through 4.7.8 who use the bundled driver version (adminer.php) are affected. This could lead to internal network reconnaissance and potential data exposure.

📋 TL;DR

CVE-2021-21311 is a server-side request forgery (SSRF) vulnerability in Adminer database management software that allows attackers to make unauthorized requests from the vulnerable server to internal systems. Users of Adminer versions 4.0.0 through 4.7.8 who use the bundled driver version (adminer.php) are affected. This could lead to internal network reconnaissance and potential data exposure.

💻 Affected Systems

Products:

Adminer

Versions: 4.0.0 through 4.7.8

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using the bundled driver version (adminer.php), not the standalone driver versions.

📦 What is this software?

Adminer by Adminer

View all CVEs affecting Adminer →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, databases, or cloud metadata endpoints, potentially leading to data exfiltration, privilege escalation, or lateral movement within the network.

🟠

Likely Case

Internal network scanning, accessing internal APIs or services, and potentially retrieving sensitive information from cloud metadata services.

🟢

If Mitigated

Limited impact if network segmentation prevents access to sensitive internal services and proper input validation is implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to Adminer. The vulnerability is in the driver selection functionality where user input is not properly validated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.7.9

Vendor Advisory: https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6

Restart Required: No

Instructions:

1. Download Adminer 4.7.9 or later from the official repository. 2. Replace the existing adminer.php file with the patched version. 3. Verify the version in the Adminer interface.

🔧 Temporary Workarounds

Use standalone driver version

all

Switch from the bundled adminer.php to individual driver files which are not affected by this vulnerability.

Download individual driver files from https://www.adminer.org/

Network segmentation

all

Restrict Adminer server's outbound network access to prevent SSRF attacks from reaching internal services.

Configure firewall rules to block outbound connections from Adminer server to internal networks

🧯 If You Can't Patch

Restrict Adminer access to trusted IP addresses only
Implement web application firewall rules to detect and block SSRF patterns

🔍 How to Verify

Check if Vulnerable:

Check Adminer version in the interface or examine the adminer.php file header for version information.

Check Version:

grep -i 'version' adminer.php | head -1

Verify Fix Applied:

Verify the version shows 4.7.9 or higher in the Adminer interface or check the file modification date.

📡 Detection & Monitoring

Log Indicators:

Unusual driver selection attempts
Requests to internal IP addresses from Adminer server
Multiple failed connection attempts to various internal services

Network Indicators:

Outbound connections from Adminer server to internal services not typically accessed
Requests to cloud metadata endpoints (169.254.169.254, etc.)

SIEM Query:

source="adminer_access.log" AND (uri="/?driver=" OR uri="/?server=") AND NOT (src_ip IN trusted_ips)

📊 Metadata

CVE ID: CVE-2021-21311

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-918

Published: February 11, 2021

Last Updated: October 24, 2025

🔗 References

https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351 Patch
https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf Exploit,Third Party Advisory
https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html Mailing List,Third Party Advisory
https://packagist.org/packages/vrana/adminer Product,Third Party Advisory
https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351 Patch
https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf Exploit,Third Party Advisory
https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html Mailing List,Third Party Advisory
https://packagist.org/packages/vrana/adminer Product,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21311 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21311, you might also want to check these: