Lucene search

[email protected]NVD:CVE-2022-0959

HistoryMar 16, 2022 - 3:15 p.m.

CVE-2022-0959

2022-03-1615:15:16

CWE-434

CWE-22

[email protected]

web.nvd.nist.gov

csrf token upload

session cookie

file upload

permission check

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

26.9%

JSON

A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write.

Affected configurations

Nvd

Node

postgresqlpgadmin_4Range<6.7

VendorProductVersionCPE
postgresqlpgadmin_4*cpe:2.3:a:postgresql:pgadmin_4:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
postgresql	pgadmin_4	*	cpe:2.3:a:postgresql:pgadmin_4::::::::

References

bugzilla.redhat.com/show_bug.cgi?id=2063759

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

26.9%

JSON

Related for NVD:CVE-2022-0959

osv3 nessus1 suse1 openvas3 redhatcve1 mageia1 cvelist1 cve1 veracode1 prion1 github1