Source: adminer X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for adminer. CVE-2023-45196[0]: | Adminer and AdminerEvo allow an unauthenticated remote attacker to | cause a denial of service by connecting to an attacker-controlled | service that responds with HTTP redirects. The denial of service is | subject to PHP configuration limits. Adminer is no longer supported, | but this issue was fixed in AdminerEvo version 4.8.4. https://github.com/adminerevo/adminerevo/pull/102/commits/23e7cdc0a32b3739e13d19ae504be0fe215142b6 CVE-2023-45195[1]: | Adminer and AdminerEvo are vulnerable to SSRF via database | connection fields. This could allow an unauthenticated remote | attacker to enumerate or access systems the attacker would not | otherwise have access to. Adminer is no longer supported, but this | issue was fixed in AdminerEvo version 4.8.4. https://github.com/adminerevo/adminerevo/pull/102/commits/18f3167bbcbec3bc746f62db72e016aa99144efc It seems adminer is dead upstream and adminerevo picked up development, so most likely Debian should follow the new upstream? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45196 https://www.cve.org/CVERecord?id=CVE-2023-45196 [1] https://security-tracker.debian.org/tracker/CVE-2023-45195 https://www.cve.org/CVERecord?id=CVE-2023-45195 Please adjust the affected versions in the BTS as needed.
