CVE-2021-21311: 
PHP vulnerability analysis and mitigation

Adminer, an open-source database management system in a single PHP file, was found to contain a server-side request forgery (SSRF) vulnerability (CVE-2021-21311). The vulnerability affected versions from 4.0.0 to 4.7.8, specifically impacting users of Adminer versions bundling all drivers (e.g., adminer.php). The issue was discovered and disclosed in February 2021, and was subsequently fixed in version 4.7.9 (GitHub Advisory).

The vulnerability was identified as a server-side request forgery (SSRF) issue present in the error page handling of Elasticsearch and ClickHouse drivers. The severity of the vulnerability was rated as Moderate, with a CVSS 3.1 base score of 7.2 (High). The vulnerability is classified under CWE-918 (Ubuntu CVE).

The vulnerability could potentially allow attackers to perform server-side request forgery attacks against systems running affected versions of Adminer. This particularly affected installations using the bundle with all drivers, specifically the adminer.php file (GitHub Advisory).

Several mitigation options were provided: 1) Upgrade to version 4.7.9 or later which contains the fix, 2) Use a single driver version (e.g., adminer-mysql.php) instead of the bundle, 3) Implement additional protection measures such as HTTP password authentication, IP address limiting, or OTP plugin. The fix was implemented in commit ccd2374 (GitHub Advisory).