Login Sign Up

CVE-2021-36471

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This CVE describes a directory traversal vulnerability in AdminLTE 3.1.0 that allows remote attackers to access sensitive admin pages via specific URIs (/admin/index2.html, /admin/index3.html). This could lead to privilege escalation and information disclosure. The vulnerability affects websites using AdminLTE 3.1.0 with improperly configured access controls.

💻 Affected Systems

Products:
  • AdminLTE
Versions: 3.1.0
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: The vulnerability requires misconfiguration by developers implementing AdminLTE. AdminLTE developers dispute this is a vulnerability in their software and attribute it to developer misconfiguration.

📦 What is this software?

Adminlte by Adminlte.io

View all CVEs affecting Adminlte →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to the application, potentially leading to complete system compromise, data theft, or further exploitation.

🟠

Likely Case

Unauthorized access to admin interfaces allowing privilege escalation and exposure of sensitive configuration data.

🟢

If Mitigated

No impact if proper access controls and authentication are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires direct access to vulnerable URIs without proper authentication controls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://github.com/ColorlibHQ/AdminLTE/issues/4948

Restart Required: No

Instructions:

No official patch. Implement proper access controls and authentication for admin pages.

🔧 Temporary Workarounds

Implement Authentication Middleware

all

Add authentication checks before serving admin pages

Depends on implementation framework (e.g., Express.js middleware, Django decorators, etc.)

Restrict Access via Web Server Configuration

all

Configure web server to block unauthorized access to admin pages

# Apache example
<Location "/admin">
    Require valid-user
</Location>
# Nginx example
location /admin {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

🧯 If You Can't Patch

  • Implement network-level access controls to restrict access to admin interfaces
  • Monitor access logs for unauthorized attempts to access /admin/index*.html paths

🔍 How to Verify

Check if Vulnerable:

Attempt to access /admin/index2.html and /admin/index3.html without authentication. If accessible, system is vulnerable.

Check Version:

Check package.json or AdminLTE version in source code

Verify Fix Applied:

Verify that accessing /admin/index2.html and /admin/index3.html requires proper authentication or returns 403/404.

📡 Detection & Monitoring

Log Indicators:

  • HTTP 200 responses to /admin/index2.html or /admin/index3.html without authentication
  • Multiple failed authentication attempts followed by successful access to admin pages

Network Indicators:

  • Unusual traffic patterns to admin pages from unauthorized IPs

SIEM Query:

source="web_server" AND (uri="/admin/index2.html" OR uri="/admin/index3.html") AND response_code=200

📊 Metadata

CVE ID: CVE-2021-36471
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: February 7, 2023
Last Updated: April 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36471, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)