Lucene search

K

GitHub Advisory DatabaseGHSA-GHP8-52VX-77J4

HistorySep 22, 2023 - 3:30 p.m.

pgAdmin failed to properly control the server code

2023-09-2215:30:15

GitHub Advisory Database

github.com

12

pgadmin

server code

http api

postgresql utilities

pg_dump

pg_restore

authenticated user

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

28.0%

A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.7 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.

Affected configurations

Vulners

Node

pgadmin4Range<7.7

References

bugzilla.redhat.com/show_bug.cgi?id=2239164

github.com/advisories/GHSA-ghp8-52vx-77j4

github.com/pgadmin-org/pgadmin4/commit/35f05e49b3632a0a674b9b36535a7fe2d93dd0c2

github.com/pgadmin-org/pgadmin4/issues/6763

lists.fedoraproject.org/archives/list/[email protected]/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/

lists.fedoraproject.org/archives/list/[email protected]/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/

nvd.nist.gov/vuln/detail/CVE-2023-5002

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

28.0%

Related for GHSA-GHP8-52VX-77J4

nvd1 openvas2 redos1 fedora2 veracode1 nessus2 vulnrichment1 osv2 prion1 cvelist1 cve1