CVE-2023-5002

2023-09-2214:15:47

CWE-78

[email protected]

web.nvd.nist.gov

2493

pgadmin

cve-2023-5002

security flaw

http api

postgresql

pg_dump

pg_restore

nvd

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.001

Percentile

22.1%

JSON

A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.

Affected configurations

NVD

Node

pgadminpgadminRange<7.7postgresql

Node

fedoraprojectfedoraMatch37

fedoraprojectfedoraMatch38

CNA Affected

[
  {
    "versions": [
      {
        "status": "unaffected",
        "version": "7.7",
        "lessThan": "*",
        "versionType": "custom"
      }
    ],
    "packageName": "pgadmin4",
    "collectionURL": "https://github.com/pgadmin-org/pgadmin4"
  }
]