cvelistv5 - CVE-2024-2044

▼	URL	Tags
	f86ef6dc-4d3a-42ad-8f28-e6d5547a5007	https://github.com/pgadmin-org/pgadmin4/issues/7258
	f86ef6dc-4d3a-42ad-8f28-e6d5547a5007	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/
	f86ef6dc-4d3a-42ad-8f28-e6d5547a5007	https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/

▼	Vendor	Product
	pgadmin.org	pgAdmin 4

ghsa-rj98-crf4-g69w

Vulnerability from github

Published

2024-03-07 21:30

Modified

2024-08-02 15:36

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.4 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Summary

pgAdmin 4 vulnerable to Unsafe Deserialization and Remote Code Execution by an Authenticated user

Details

pgAdmin prior to version 8.4 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them and gain code execution.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pgAdmin4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-2044"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-31",
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-07T22:39:27Z",
    "nvd_published_at": "2024-03-07T21:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "pgAdmin prior to version 8.4 is affected by a path-traversal vulnerability while deserializing users\u2019 sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them and gain code execution.",
  "id": "GHSA-rj98-crf4-g69w",
  "modified": "2024-08-02T15:36:37Z",
  "published": "2024-03-07T21:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2044"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pgadmin-org/pgadmin4/issues/7258"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pgadmin-org/pgadmin4/commit/4e49d752fba72953acceeb7f4aa2e6e32d25853d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pgadmin-org/pgadmin4"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV"
    },
    {
      "type": "WEB",
      "url": "https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "pgAdmin 4 vulnerable to Unsafe Deserialization and Remote Code Execution by an Authenticated user"
}

wid-sec-w-2024-0576

Vulnerability from csaf_certbund

Published

2024-03-06 23:00

Modified

2024-04-18 22:00

Summary

pgAdmin: Schwachstelle ermöglicht Codeausführung

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

pgAdmin ist eine Verwaltungs- und Entwicklungsplattform für die PostgreSQL-Datenbank.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in pgAdmin ausnutzen, um beliebigen Programmcode auszuführen.

Betroffene Betriebssysteme

- Linux - MacOS X - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "pgAdmin ist eine Verwaltungs- und Entwicklungsplattform f\u00fcr die PostgreSQL-Datenbank.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in pgAdmin ausnutzen, um beliebigen Programmcode auszuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0576 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0576.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0576 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0576"
      },
      {
        "category": "external",
        "summary": "PGAdmin News Archive vom 2024-03-07",
        "url": "http://www.pgadmin.org/news/#96"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2024-15DF3B6D95 vom 2024-03-10",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-15df3b6d95"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1340-1 vom 2024-04-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018379.html"
      }
    ],
    "source_lang": "en-US",
    "title": "pgAdmin: Schwachstelle erm\u00f6glicht Codeausf\u00fchrung",
    "tracking": {
      "current_release_date": "2024-04-18T22:00:00.000+00:00",
      "generator": {
        "date": "2024-04-19T09:37:57.587+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2024-0576",
      "initial_release_date": "2024-03-06T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-03-06T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-03-10T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Fedora aufgenommen"
        },
        {
          "date": "2024-04-18T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von SUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Fedora Linux",
            "product": {
              "name": "Fedora Linux",
              "product_id": "74185",
              "product_identification_helper": {
                "cpe": "cpe:/o:fedoraproject:fedora:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Fedora"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "4 \u003cv8.4",
                "product": {
                  "name": "Open Source pgAdmin 4 \u003cv8.4",
                  "product_id": "T033296",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:pgadmin:pgadmin:8.4::4"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "pgAdmin"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-2044",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in pgAdmin 4 aufgrund einer unsicheren Deserialisierung. Ein authentisierter Angreifer kann dies ausnutzen, um beliebigen Code auszuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T002207",
          "74185"
        ]
      },
      "release_date": "2024-03-06T23:00:00Z",
      "title": "CVE-2024-2044"
    }
  ]
}

gsd-2024-2044

Vulnerability from gsd

Modified

2024-03-01 06:03

Details

pgAdmin 4 uses a file-based session management approach. The session files are saved on disk as pickle objects. When a user performs a request, the value of the session cookie 'pga4_session' is used to retrieve the file, then its content is deserialised, and finally its signature verified. The cookie value is split in 2 parts at the first '!' character. The first part is the session ID (sid), while the second is the session digest. The vulnerability lies in versions of pgAdmin prior to 8.4 where a method loads session files by concatenating the sessions folder - located inside the pgAdmin 4 DATA_DIR - with the session ID. Precisely, the two values are concatenated using the ['os.path.join'] function. It does not set a trusted base-path which should not be escaped

Aliases

CVE-2024-2044

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-2044"
      ],
      "details": "pgAdmin 4 uses a file-based session management approach. The session files are saved on disk as pickle objects. When a user performs a request, the value of the session cookie \u0027pga4_session\u0027 is used to retrieve the file, then its content is deserialised, and finally its signature verified.\nThe cookie value is split in 2 parts at the first \u0027!\u0027 character. The first part is the session ID (sid), while the second is the session digest.\n The vulnerability lies in versions of pgAdmin prior to 8.4 where a method loads session files by concatenating the sessions folder - located inside the pgAdmin 4 DATA_DIR - with the session ID. Precisely, the two values are concatenated using the [\u0027os.path.join\u0027] function. It does not set a trusted base-path which should not be escaped\n",
      "id": "GSD-2024-2044",
      "modified": "2024-03-01T06:03:00.837123Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@postgresql.org",
        "ID": "CVE-2024-2044",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "pgAdmin 4",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "affected",
                            "versions": [
                              {
                                "lessThan": "8.4",
                                "status": "affected",
                                "version": "0",
                                "versionType": "custom"
                              }
                            ]
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "pgadmin.org"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "pgAdmin \u003c= 8.3 is affected by a path-traversal vulnerability while deserializing users\u2019 sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/pgadmin-org/pgadmin4/issues/7258",
            "refsource": "MISC",
            "url": "https://github.com/pgadmin-org/pgadmin4/issues/7258"
          },
          {
            "name": "https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/",
            "refsource": "MISC",
            "url": "https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/"
          }
        ]
      },
      "source": {
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "pgAdmin \u003c= 8.3 is affected by a path-traversal vulnerability while deserializing users\u2019 sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.\n"
          },
          {
            "lang": "es",
            "value": "pgAdmin 4 utiliza un enfoque de gesti\u00f3n de sesiones basado en archivos. Los archivos de sesi\u00f3n se guardan en el disco como objetos pickle. Cuando un usuario realiza una solicitud, el valor de la cookie de sesi\u00f3n \u0027pga4_session\u0027 se utiliza para recuperar el archivo, luego se deserializa su contenido y finalmente se verifica su firma. El valor de la cookie se divide en 2 partes en el primer \u0027!\u0027 personaje. La primera parte es el ID de la sesi\u00f3n (sid), mientras que la segunda es el resumen de la sesi\u00f3n. La vulnerabilidad radica en las versiones de pgAdmin anteriores a la 8.4, donde un m\u00e9todo carga archivos de sesi\u00f3n concatenando la carpeta de sesiones, ubicada dentro de pgAdmin 4 DATA_DIR, con el ID de sesi\u00f3n. Precisamente, los dos valores se concatenan usando la funci\u00f3n [\u0027os.path.join\u0027]. No establece una ruta base confiable de la que no se debe escapar"
          }
        ],
        "id": "CVE-2024-2044",
        "lastModified": "2024-03-23T03:15:12.063",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.1,
              "impactScore": 6.0,
              "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-03-07T21:15:08.767",
        "references": [
          {
            "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
            "url": "https://github.com/pgadmin-org/pgadmin4/issues/7258"
          },
          {
            "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/"
          },
          {
            "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
            "url": "https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/"
          }
        ],
        "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "vulnStatus": "Awaiting Analysis"
      }
    }
  }
}

CVE-2024-2044

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature

Action not permitted

CVE-2024-2044

Vulnerability from cvelistv5

ghsa-rj98-crf4-g69w

Vulnerability from github

wid-sec-w-2024-0576

Vulnerability from csaf_certbund

gsd-2024-2044

Vulnerability from gsd

Tags

Sightings

Nomenclature