Impact

All users are affected.

Patches

• Unsuccessfully patched by 0fae40f, included in version 4.4.0.
• Patched by 35bfaa7, included in version 4.7.8.

Workarounds

Protect access to Adminer also by other means, e.g. by HTTP password, IP address limiting or by OTP plugin.

References

• http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt
• https://sourceforge.net/p/adminer/bugs-and-features/769/
• https://gusralph.info/adminer-ssrf-bypass-cve-2018-7667/ (CVE-2020-28654)

For more information

If you have any questions or comments about this advisory:

• Comment at 35bfaa7.