Description

Adminer is a tool for managing content in MySQL databases. Adminer is distributed under Apache license in a form of a single PHP file.

Adminer versions up to (and including) 4.6.2 supported the use of the SQL statement LOAD DATA INFILE. It was possible to use this SQL statement to read arbitrary local files because of a protocol flaw in MySQL.

Remediation

Upgrade to the latest version of Adminer. This vulnerability was fixed in Adminer version 4.6.3.

References

adminer-4.6.2-file-disclosure-vulnerability

Adminer Script Results to Pwning Server

Adminer

Related Vulnerabilities

MediaWiki Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2014-9276)

WordPress Plugin Simple Slideshow Manager Multiple Cross-Site Scripting Vulnerabilities (2.3)

WordPress Plugin Dynamic Widgets Multiple Unspecified Vulnerabilities (1.5.7)

Oracle HTTP Server Out-of-bounds Write Vulnerability (CVE-2021-44790)

WordPress Plugin Tags Cloud Manager Cross-Site Scripting (1.0.0)

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Tags

Information Disclosure Missing Update