CVE-2021-21311
Published: 11 February 2021
Summary
CVE-2021-21311 is a high-severity SSRF (CWE-918) vulnerability in Adminer Adminer. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
Adminer is an open-source database management tool distributed as a single PHP file. It is affected by a server-side request forgery vulnerability in versions 4.0.0 through 4.7.8 that impacts users of builds bundling all drivers, such as adminer.php. The flaw is identified as CWE-918 and carries a CVSS 3.1 score of 7.2.
An unauthenticated remote attacker can send crafted requests to the Adminer instance to induce the server into making arbitrary outbound connections, resulting in limited impacts to confidentiality and integrity in the server's security context.
The issue is resolved in version 4.7.9. The project has published a security advisory and corresponding code commit, while Debian has issued an LTS announcement and the package metadata is tracked on Packagist to support patching.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-0576
Vulnerability details
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed…
more
in version 4.7.9.
- CWE(s)
- KEV Date Added
- 29 September 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces information flow policies that block the server from initiating arbitrary outbound connections triggered by crafted SSRF requests.
Restricts and monitors outbound network traffic at system boundaries, directly preventing the unauthorized external requests enabled by the SSRF flaw.
Validates all user-supplied input to Adminer to reject malicious parameters that induce server-side outbound connections.