Adminer <= 4.3.1 SSRF Vulnerability - Windows

2019-01-2000:00:00

plugins.openvas.org

121

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.007

Percentile

80.0%

JSON

Adminer is prone to a server-side request forgery (SSRF)
vulnerability.

# SPDX-FileCopyrightText: 2019 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:adminer:adminer";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.108533");
  script_version("2024-06-28T15:38:46+0000");
  script_tag(name:"last_modification", value:"2024-06-28 15:38:46 +0000 (Fri, 28 Jun 2024)");
  script_tag(name:"creation_date", value:"2019-01-20 14:05:39 +0100 (Sun, 20 Jan 2019)");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_tag(name:"severity_vector", value:"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2018-03-27 13:32:00 +0000 (Tue, 27 Mar 2018)");
  script_cve_id("CVE-2018-7667");
  script_name("Adminer <= 4.3.1 SSRF Vulnerability - Windows");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2019 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("gb_adminer_detect.nasl", "os_detection.nasl");
  script_mandatory_keys("adminer/detected", "Host/runs_windows");

  script_xref(name:"URL", value:"https://github.com/vrana/adminer/releases/tag/v4.4.0");
  script_xref(name:"URL", value:"http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt");
  script_xref(name:"URL", value:"https://seclists.org/fulldisclosure/2018/Jan/64");
  script_xref(name:"URL", value:"https://www.exploit-db.com/exploits/43593");

  script_tag(name:"summary", value:"Adminer is prone to a server-side request forgery (SSRF)
  vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"Adminer allows unauthenticated connections to be initiated to arbitrary systems/ports.");

  script_tag(name:"impact", value:"This vulnerability can be used to potentially bypass firewalls to
  identify internal hosts and perform port scanning of other servers for reconnaissance purposes.");

  script_tag(name:"affected", value:"Adminer version 4.3.1 and prior.");

  script_tag(name:"solution", value:"Update to version 4.4.0 or later which disables the possibility to connect
  to privileged ports. Please note that this is only partially mitigating this vulnerability and port scanning
  is still possible against ports in the range of > 1024.");

  script_tag(name:"qod_type", value:"remote_banner");
  script_tag(name:"solution_type", value:"Mitigation");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if( ! port = get_app_port( cpe:CPE ) )
  exit( 0 );

if( ! info = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:TRUE ) )
  exit( 0 );

vers = info["version"];
if( version_is_less( version:vers, test_version:"4.4.0" ) ) {
  report = report_fixed_ver( installed_version:vers, fixed_version:"4.4.0", install_path:info["location"] );
  security_message( port:port, data:report );
  exit( 0 );
}

exit( 99 );