Lucene search

K
cve[email protected]CVE-2023-5002
HistorySep 22, 2023 - 2:15 p.m.

CVE-2023-5002

2023-09-2214:15:47
CWE-78
web.nvd.nist.gov
2354
pgadmin
cve-2023-5002
security flaw
http api
postgresql
pg_dump
pg_restore
nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.1%

A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.

Affected configurations

NVD
Node
pgadminpgadminRange<7.7postgresql
Node
fedoraprojectfedoraMatch37
OR
fedoraprojectfedoraMatch38
CPENameOperatorVersion
pgadmin:pgadminpgadminlt7.7

CNA Affected

[
  {
    "versions": [
      {
        "status": "unaffected",
        "version": "7.7",
        "lessThan": "*",
        "versionType": "custom"
      }
    ],
    "packageName": "pgadmin4",
    "collectionURL": "https://github.com/pgadmin-org/pgadmin4"
  }
]

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.1%