CVE-2021-21311 Overview
CVE-2021-21311 is a Server-Side Request Forgery (SSRF) vulnerability affecting Adminer, an open-source database management tool distributed as a single PHP file. The vulnerability exists in Adminer versions from 4.0.0 up to (but not including) 4.7.9. Users of Adminer versions bundling all drivers (e.g., adminer.php) are affected by this security flaw, which allows attackers to make arbitrary HTTP requests from the vulnerable server.
Critical Impact
This vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild. Attackers can leverage this SSRF to access internal services, exfiltrate sensitive data, or pivot to other systems within the network.
Affected Products
- Adminer versions 4.0.0 to 4.7.8 (all driver bundles)
- Debian Linux 9.0 (via packaged Adminer)
- Any deployment using the bundled adminer.php with all drivers enabled
Discovery Timeline
- 2021-02-11 - CVE-2021-21311 published to NVD
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2021-21311
Vulnerability Analysis
The SSRF vulnerability in Adminer arises from improper handling of HTTP responses in the Elasticsearch and ClickHouse database drivers. When connecting to these database types, Adminer makes HTTP requests to user-specified server addresses. Prior to the patch, error responses from these requests would display the full HTTP response body directly to the user, enabling attackers to craft malicious connection requests that target internal services and retrieve their responses.
This vulnerability is classified under CWE-918 (Server-Side Request Forgery), where a web application can be induced to make requests to an arbitrary domain of the attacker's choosing. The network-accessible attack vector with no user interaction required makes this particularly dangerous in environments where Adminer is exposed to untrusted users.
Root Cause
The root cause lies in the error handling logic within the Elasticsearch (elastic.inc.php) and ClickHouse (clickhouse.inc.php) driver files. When the HTTP response code was not 200, the vulnerable code would assign the entire response body to the error message, which would then be displayed to the user. This allowed attackers to read responses from arbitrary internal HTTP endpoints by specifying them as the database server address.
Attack Vector
An attacker can exploit this vulnerability by configuring Adminer to connect to an internal service (such as cloud metadata endpoints, internal APIs, or other HTTP services) instead of a legitimate database. The attacker specifies the target internal URL as the database server, and when the connection fails or returns a non-200 response, Adminer would leak the response content in the error message. This enables reconnaissance of internal infrastructure and potential data exfiltration.
// Vulnerable code pattern (before patch) in elastic.inc.php and clickhouse.inc.php:
if (!preg_match('~^HTTP/[0-9.]+ 2~i', $http_response_header[0])) {
$this->error = $file; // Full response body exposed
return false;
}
// Patched code - suppresses response content:
if (!preg_match('~^HTTP/[0-9.]+ 2~i', $http_response_header[0])) {
$this->error = lang('Invalid credentials.') . " $http_response_header[0]"; // Only HTTP status exposed
return false;
}
Source: GitHub Commit
Detection Methods for CVE-2021-21311
Indicators of Compromise
- Unusual connection attempts from Adminer to internal IP ranges (e.g., 169.254.169.254 for cloud metadata, 127.0.0.1, 10.x.x.x, 192.168.x.x)
- Database connection attempts specifying non-standard ports or HTTP-based URLs as server addresses
- Error messages containing unexpected HTTP response bodies or internal service data
- Log entries showing failed database connections to internal endpoints
Detection Strategies
- Monitor web application logs for connection attempts to internal IP addresses through Adminer's login interface
- Implement network-level detection for outbound HTTP requests from web servers to internal metadata endpoints or RFC 1918 addresses
- Review access logs for patterns indicating reconnaissance activity through database connection attempts
- Deploy web application firewalls (WAF) with SSRF detection rules to block requests targeting internal services
Monitoring Recommendations
- Enable detailed logging on Adminer deployments to capture all connection parameters
- Configure alerting for any database connection attempts to non-whitelisted IP addresses or hostnames
- Monitor outbound network traffic from web servers for connections to cloud metadata services (e.g., 169.254.169.254)
- Implement application-layer monitoring to detect unusual patterns in database driver usage
How to Mitigate CVE-2021-21311
Immediate Actions Required
- Upgrade Adminer to version 4.7.9 or later immediately, as this version contains the security fix
- Restrict network access to Adminer installations by implementing IP whitelisting or VPN requirements
- Remove or disable unused database drivers, particularly Elasticsearch and ClickHouse if not required
- Implement egress filtering to prevent the web server from making connections to internal services or metadata endpoints
Patch Information
The vulnerability was addressed in Adminer version 4.7.9. The fix modifies the error handling in both adminer/drivers/clickhouse.inc.php and adminer/drivers/elastic.inc.php to prevent HTTP response bodies from being exposed in error messages. The patch replaces the full response content with a generic "Invalid credentials" message followed only by the HTTP status header.
The security patch is available via:
Workarounds
- If immediate patching is not possible, disable the Elasticsearch and ClickHouse drivers by using a custom Adminer build that excludes these drivers
- Place Adminer behind a reverse proxy that enforces authentication before access
- Implement network segmentation to prevent the web server from reaching internal services or cloud metadata endpoints
- Consider temporarily removing Adminer from production environments until patching can be completed
# Configuration example: Network-level mitigation using iptables
# Block outbound connections to cloud metadata endpoints from web server
iptables -A OUTPUT -d 169.254.169.254 -j DROP
# Block connections to internal RFC 1918 ranges from the web process
iptables -A OUTPUT -d 10.0.0.0/8 -p tcp -m owner --uid-owner www-data -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -p tcp -m owner --uid-owner www-data -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -p tcp -m owner --uid-owner www-data -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
