CVE-2021-21311

What is Adminer?

Adminer (formerly phpMinAdmin) is a lightweight, single-file web-based database management tool written in PHP that supports MySQL, PostgreSQL, SQLite, MS SQL, Oracle, and other databases. It is widely deployed by developers and system administrators as a convenient alternative to phpMyAdmin — its single-file nature makes it easy to drop into a web directory for temporary database access. Because Adminer is a web-accessible database management interface, it processes user-supplied database connection parameters (server addresses, credentials) and uses them to make network connections from the server hosting Adminer. SSRF vulnerabilities in Adminer can turn this database connectivity into a proxy for reaching internal network services that should not be externally accessible.

Overview

CVE-2021-21311 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in Adminer versions before 4.7.9. Adminer's redirect functionality allows unauthenticated attackers to cause the Adminer server to make outbound HTTP requests to attacker-specified URLs — including internal network addresses (169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, localhost). The Scope: Changed (S:C) rating reflects that the attack crosses a security boundary — the Adminer server's network access is leveraged to reach resources that external attackers cannot directly access. Fixed in Adminer 4.7.9. CISA added it to the KEV catalog in September 2025, reflecting active exploitation of Adminer instances still running versions older than 4.7.9.

Affected Versions

Technical Details

• Root cause: SSRF (CWE-918) via Adminer's redirect/login functionality — Adminer's server-side code follows redirects or makes connections to attacker-specified URLs during the database connection process; without proper validation of the target URL to block private/internal IP ranges, the Adminer server becomes a proxy for reaching internal services
• Unauthenticated exploitation: PR:N/UI:N/AC:L — no credentials or user interaction are required; an attacker can trigger the SSRF by sending crafted requests to the Adminer login/connection endpoint with a malicious server address
• Scope: Changed (S:C): The SSRF allows reaching internal network services (metadata APIs, internal HTTP services, database management APIs, Kubernetes API servers, cloud provider IMDSv1 endpoints) that are not directly accessible from the internet; the attacker's HTTP request effectively travels from the external internet through the Adminer server into the internal network
• Cloud metadata exposure: A primary SSRF target in cloud environments is the instance metadata service (169.254.169.254 for AWS/Azure/GCP) — accessing it without IMDSv2 protection leaks IAM role credentials, providing cloud console access
• Four-year KEV delay: CISA added this in September 2025 — four years after the patch — reflecting persistent deployment of unpatched Adminer instances across enterprise and cloud environments, and active exploitation observed in security incidents

Discovery

Reported to the Adminer project and patched in version 4.7.9 (January 26, 2021). The GitHub security advisory GHSA-x5r2-hj5c-8jx6 documented the SSRF and its potential for internal network access. CISA's September 2025 KEV addition (over four years post-patch) reflects the reality that Adminer instances are frequently deployed without version tracking and remain at old versions for years.

Exploitation Context

Adminer is widely used as a "temporary" database management tool that often becomes permanent without maintenance. Many deployments remain publicly accessible on web servers with no authentication beyond the Adminer login itself. CVE-2021-21311's SSRF is used by attackers to: (1) probe internal network topology by making requests to internal IP ranges and observing responses, (2) access cloud instance metadata services to steal IAM credentials, (3) interact with internal APIs (Kubernetes, container registries, internal microservices) not intended to be internet-accessible, and (4) bypass firewall rules that allow the web server outbound access to internal networks. The four-year KEV delay underscores how long legacy versions remain in production.

Remediation

1. Update Adminer to version 4.7.9 or later — eliminates the SSRF vulnerability
2. Remove Adminer from internet-accessible locations: Adminer should never be publicly accessible; if needed, restrict to VPN-only access or require additional authentication (HTTP basic auth, IP allowlisting)
3. Audit all web servers for Adminer deployments: look for adminer.php, adminer-*.php, or single-file PHP database tools in web directories
4. If Adminer must remain deployed: implement network egress controls on the server to prevent connections to internal IP ranges (block 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 from the web server)
5. Enable IMDSv2 on cloud instances to prevent metadata credential theft via SSRF — IMDSv2 requires a session-oriented request that SSRF cannot replicate
6. Replace Adminer with a more securely managed database administration approach: dedicated database clients on VPN-connected workstations rather than web-accessible tools