adminer: CVE-2021-29625: XSS in doc_link

Debian Bug report logs - #988886
adminer: CVE-2021-29625: XSS in doc_link

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: adminer: CVE-2021-29625: XSS in doc_link

Date: Thu, 20 May 2021 21:00:39 +0200

Source: adminer
Version: 4.7.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for adminer.

CVE-2021-29625[0]:
| Adminer is open-source database management software. A cross-site
| scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects
| users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases
| prevented by strict CSP in all modern browsers. The only exception is
| when Adminer is using a `pdo_` extension to communicate with the
| database (it is used if the native extensions are not enabled). In
| browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected.
| The vulnerability is patched in version 4.8.1. As workarounds, one can
| use a browser supporting strict CSP or enable the native PHP
| extensions (e.g. `mysqli`) or disable displaying PHP errors
| (`display_errors`).

I'm slightly confused about the available information about the
affected version. From the code it looks to me that 4.7.1 as in stable
would be affected as well, but upstream is claiming 4.7.8 is affected
to 4.8.0. Though as well the Impact message mentions version back to
4.6.1.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-29625
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29625
[1] https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc
[2] https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 988886@bugs.debian.org (full text, mbox, reply):

From: Alexandre Rossi <alexandre.rossi@gmail.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 988886@bugs.debian.org

Cc: Chris Lamb <lamby@debian.org>

Subject: Re: Bug#988886: adminer: CVE-2021-29625: XSS in doc_link

Date: Fri, 21 May 2021 12:39:42 +0200

found 988886 4.7.1-1
thanks

Hi,

Thanks for bringing this to my attention.

> I'm slightly confused about the available information about the
> affected version. From the code it looks to me that 4.7.1 as in stable
> would be affected as well, but upstream is claiming 4.7.8 is affected
> to 4.8.0. Though as well the Impact message mentions version back to
> 4.6.1.

I could reproduce with both 4.7.1 et 4.7.9 and Internet Explorer as a
browser. I could not reproduce with 4.8.1 which fixes this.

The test URL :
http://host/adminer-4.7.1.php?server=localhost&username=root&db=mysql&table=event%27%3E%3Csvg/onload=alert(document.cookie)%3E

> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

I'm a bit confused as to where and when to fix this. My understanding
is the following

buster : I assume from your message that this does not warrant a DSA.
Then I'll update
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960396
bullseye : this bug is not RC, so no update.
unstable : will fix after the release by uploading 4.8.1 or later.

Thanks for your advice if my understanding is wrong, regards,

Alex

Send a report that this bug log contains spam.