| CARVIEW |
Select Language
HTTP/2 200
date: Tue, 07 Oct 2025 09:25:32 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"45289247a5e118d5f7634f59e27cdf8d"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com/ copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=J7Ia5GwQX4Isb%2FR6cO2bCrYySepyztktHlV%2FNy1thyf%2Fgt4HMGHJHhSFdVhukmAf02BR1zThYowj1ulOu7XbqfdtU9MmcZgke%2BLtU2Gh%2B2Bu907tyZQYBR7n%2F6e7%2BqcyKrQ455k4P2V27bBe8KNX%2FC%2Ba54eq1q15qoB1UzjYFPbEuZy2H9bDbma1rXObdS92EH7yebUKFdmqtmO70DIL6YQL%2BSVqwVMqdS%2F74k%2BJMUeaRwNWahI6es0LUv%2Bwec1kA74CCa8tO8QvoMPr5XdE5Q%3D%3D--cPzvu0ClhfaTBV2p--CsUyjE83zwfevIo%2BtBNT8g%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.1034038005.1759829132; Path=/; Domain=github.com; Expires=Wed, 07 Oct 2026 09:25:32 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Wed, 07 Oct 2026 09:25:32 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: DDE4:D70ED:9B4807:BD612F:68E4DC8C
SSRF on error page of Elasticsearch and ClickHouse · Advisory · vrana/adminer · GitHub
Skip to content
Navigation Menu
{{ message }}
-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
SSRF on error page of Elasticsearch and ClickHouse
Moderate
Package
bundle with all drivers
Affected versions
4.0.0 to 4.7.8
Patched versions
4.7.9
Description
Severity
Moderate
CVE ID
CVE-2021-21311
Weaknesses
Weakness CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.Credits
-
bpsizemore Analyst
-
UNC1739 Analyst
You can’t perform that action at this time.
Impact
Users of Adminer versions bundling all drivers (e.g.
adminer.php) are affected.Patches
Patched by ccd2374, included in version 4.7.9.
Workarounds
adminer-mysql.php).References
https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf
For more information
If you have any questions or comments about this advisory: