GoogleOSV:GHSA-GHP8-52VX-77J4pgAdmin failed to properly control the server code
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
28.0%
A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.7 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.
References
bugzilla.redhat.com/show_bug.cgi?id=2239164
github.com/pgadmin-org/pgadmin4
github.com/pgadmin-org/pgadmin4/commit/35f05e49b3632a0a674b9b36535a7fe2d93dd0c2
github.com/pgadmin-org/pgadmin4/issues/6763
lists.fedoraproject.org/archives/list/[email protected]/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW
lists.fedoraproject.org/archives/list/[email protected]/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3
nvd.nist.gov/vuln/detail/CVE-2023-5002
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
28.0%