CVE-2021-29625

Published: 19 May 2021

Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`).

Priority

Cvss 3 Severity Score

6.1

Score breakdown

Status

Package	Release	Status
adminer Launchpad, Ubuntu, Debian	bionic	Released (4.6.2-1ubuntu0.1~esm1) Available with Ubuntu Pro
	focal	Released (4.7.6-1ubuntu0.1~esm1) Available with Ubuntu Pro
	groovy	Ignored (end of life)
	hirsute	Ignored (end of life)
	impish	Ignored (end of life)
	jammy	Not vulnerable (4.8.1-1)
	kinetic	Not vulnerable (4.8.1-1)
	lunar	Not vulnerable (4.8.1-1)
	mantic	Not vulnerable (4.8.1-1)
	trusty	Does not exist
	upstream	Released (4.8.1)
	xenial	Not vulnerable (code not present)
	Patches: upstream: https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7

Severity score breakdown

Parameter	Value
Base score	6.1
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Changed
Confidentiality	Low
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988886

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›