2239164 – (CVE-2023-5002) CVE-2023-5002 pgadmin4: remote code execution by an authenticated user

Bug 2239164 (CVE-2023-5002) - CVE-2023-5002 pgadmin4: remote code execution by an authenticated user

Summary: CVE-2023-5002 pgadmin4: remote code execution by an authenticated user

Keywords:
Status:	NEW
Alias:	CVE-2023-5002
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2240071
Blocks:	2239165
TreeView+	depends on / blocked

Reported:	2023-09-15 16:22 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-09-21 19:36 UTC (History)
CC List:	1 user (show)
Fixed In Version:	pgadmin4 7.7
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2023-09-15 16:22:57 UTC

The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. The utility is executed by the server to determine what PostgreSQL version it is from.

Versions of pgAdmin prior to 7.7 failed to properly control the server code executed on this API, which could allow an authenticated user to run arbitrary commands on the server. Users can use the commands as filenames and check for validating the path using the API. This would inject the command in the path validator and execute the command on the pgAdmin server.

This issue does not affect users running pgAdmin in desktop mode.

Reference:
https://github.com/pgadmin-org/pgadmin4/issues/6763

Comment 1 Guilherme de Almeida Suckevicz 2023-09-21 15:47:17 UTC

Created pgadmin4 tracking bugs for this issue:

Affects: fedora-all [bug 2240071]

Note You need to log in before you can comment on or make changes to this bug.