Bug 2278850 (CVE-2024-4215)

Summary: CVE-2024-4215 pgadmin4: multi-factor authentication bypass
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pgadmin4 rel-8_6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2278854, 2278852, 2278856    
Bug Blocks:    

Description TEJ RATHI 2024-05-03 11:13:47 UTC
pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitimate account’s username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries, regardless of the account’s MFA enrollment status.

https://github.com/pgadmin-org/pgadmin4/issues/7425

Comment 1 TEJ RATHI 2024-05-03 11:16:50 UTC
Created pgadmin4 tracking bugs for this issue:

Affects: fedora-38 [bug 2278852]
Affects: fedora-39 [bug 2278854]
Affects: fedora-40 [bug 2278856]