cvelistv5 - cve-2023-5002

CVE-2023-5002 (GCVE-0-2023-5002)

Vulnerability from cvelistv5 – Published: 2023-09-22 13:31 – Updated: 2024-08-02 07:44

Summary

A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.

Severity ?

6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

fedora

References

URL

Tags

	https://bugzilla.redhat.com/show_bug.cgi?id=2239164	issue-trackingx_refsource_REDHAT
	https://github.com/pgadmin-org/pgadmin4/issues/6763
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…

Impacted products

	Vendor	Product	Version
			Unaffected: 7.7 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:pgadmin:pgadmin:-:*:*:*:*:postgresql:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "pgadmin",
            "vendor": "pgadmin",
            "versions": [
              {
                "lessThan": "7.6",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-5002",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-14T16:28:49.140419Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:28:36.879Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:44:53.739Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHBZ#2239164",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239164"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/pgadmin-org/pgadmin4/issues/6763"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/pgadmin-org/pgadmin4",
          "packageName": "pgadmin4",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.7",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2023-09-21T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-19T13:43:46.842Z",
        "orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
        "shortName": "fedora"
      },
      "references": [
        {
          "name": "RHBZ#2239164",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239164"
        },
        {
          "url": "https://github.com/pgadmin-org/pgadmin4/issues/6763"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-09-13T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-09-21T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Pgadmin4: remote code execution by an authenticated user",
      "x_redhatCweChain": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
    "assignerShortName": "fedora",
    "cveId": "CVE-2023-5002",
    "datePublished": "2023-09-22T13:31:43.124Z",
    "dateReserved": "2023-09-15T16:22:28.547Z",
    "dateUpdated": "2024-08-02T07:44:53.739Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:pgadmin:pgadmin:*:*:*:*:*:postgresql:*:*\", \"versionEndExcluding\": \"7.7\", \"matchCriteriaId\": \"15620E97-9BD2-4309-84E7-53EBF74D0CDE\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CC559B26-5DFC-4B7A-A27C-B77DE755DFF9\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.\"}, {\"lang\": \"es\", \"value\": \"Se encontr\\u00f3 una falla en pgAdmin. Este problema ocurre cuando la API HTTP del servidor pgAdmin valida la ruta que un usuario selecciona a las utilidades externas de PostgreSQL, como pg_dump y pg_restore. Las versiones de pgAdmin anteriores a la 7.6 no pudieron controlar adecuadamente el c\\u00f3digo del servidor ejecutado en esta API, lo que permiti\\u00f3 a un usuario autenticado ejecutar comandos arbitrarios en el servidor.\"}]",
      "id": "CVE-2023-5002",
      "lastModified": "2024-11-21T08:40:51.867",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"patrick@puiterwijk.org\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H\", \"baseScore\": 6.0, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.5, \"impactScore\": 5.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
      "published": "2023-09-22T14:15:47.213",
      "references": "[{\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2239164\", \"source\": \"patrick@puiterwijk.org\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/pgadmin-org/pgadmin4/issues/6763\", \"source\": \"patrick@puiterwijk.org\", \"tags\": [\"Issue Tracking\", \"Patch\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/\", \"source\": \"patrick@puiterwijk.org\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/\", \"source\": \"patrick@puiterwijk.org\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2239164\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/pgadmin-org/pgadmin4/issues/6763\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Patch\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\"]}]",
      "sourceIdentifier": "patrick@puiterwijk.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"patrick@puiterwijk.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-5002\",\"sourceIdentifier\":\"patrick@puiterwijk.org\",\"published\":\"2023-09-22T14:15:47.213\",\"lastModified\":\"2025-03-17T16:43:52.873\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una falla en pgAdmin. Este problema ocurre cuando la API HTTP del servidor pgAdmin valida la ruta que un usuario selecciona a las utilidades externas de PostgreSQL, como pg_dump y pg_restore. Las versiones de pgAdmin anteriores a la 7.6 no pudieron controlar adecuadamente el c\u00f3digo del servidor ejecutado en esta API, lo que permiti\u00f3 a un usuario autenticado ejecutar comandos arbitrarios en el servidor.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"patrick@puiterwijk.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.5,\"impactScore\":5.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"patrick@puiterwijk.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pgadmin:pgadmin_4:*:*:*:*:*:postgresql:*:*\",\"versionEndExcluding\":\"7.7\",\"matchCriteriaId\":\"0D507558-5430-4624-8E76-6FA8C66E48ED\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CC559B26-5DFC-4B7A-A27C-B77DE755DFF9\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2239164\",\"source\":\"patrick@puiterwijk.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/pgadmin-org/pgadmin4/issues/6763\",\"source\":\"patrick@puiterwijk.org\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/\",\"source\":\"patrick@puiterwijk.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/\",\"source\":\"patrick@puiterwijk.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2239164\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/pgadmin-org/pgadmin4/issues/6763\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2239164\", \"name\": \"RHBZ#2239164\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://github.com/pgadmin-org/pgadmin4/issues/6763\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T07:44:53.739Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-5002\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-14T16:28:49.140419Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:pgadmin:pgadmin:-:*:*:*:*:postgresql:*:*\"], \"vendor\": \"pgadmin\", \"product\": \"pgadmin\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"7.6\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-14T16:29:55.624Z\"}}], \"cna\": {\"title\": \"Pgadmin4: remote code execution by an authenticated user\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Moderate\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"versions\": [{\"status\": \"unaffected\", \"version\": \"7.7\", \"lessThan\": \"*\", \"versionType\": \"custom\"}], \"packageName\": \"pgadmin4\", \"collectionURL\": \"https://github.com/pgadmin-org/pgadmin4\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2023-09-13T00:00:00+00:00\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2023-09-21T00:00:00+00:00\", \"value\": \"Made public.\"}], \"datePublic\": \"2023-09-21T00:00:00+00:00\", \"references\": [{\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2239164\", \"name\": \"RHBZ#2239164\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://github.com/pgadmin-org/pgadmin4/issues/6763\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5\", \"shortName\": \"fedora\", \"dateUpdated\": \"2024-04-19T13:43:46.842Z\"}, \"x_redhatCweChain\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-5002\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T07:44:53.739Z\", \"dateReserved\": \"2023-09-15T16:22:28.547Z\", \"assignerOrgId\": \"92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5\", \"datePublished\": \"2023-09-22T13:31:43.124Z\", \"assignerShortName\": \"fedora\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

WID-SEC-W-2023-2416

Vulnerability from csaf_certbund - Published: 2023-09-20 22:00 - Updated: 2023-09-26 22:00

Summary

pgAdmin: Schwachstelle ermöglicht Ausführung von Kommandos

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

pgAdmin ist eine Verwaltungs- und Entwicklungsplattform für die PostgreSQL-Datenbank.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in pgAdmin ausnutzen, um beliebige Kommandos auszuführen.

Betroffene Betriebssysteme

- UNIX - Linux - MacOS X - Windows - Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "pgAdmin ist eine Verwaltungs- und Entwicklungsplattform f\u00fcr die PostgreSQL-Datenbank.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in pgAdmin ausnutzen, um beliebige Kommandos auszuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- MacOS X\n- Windows\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2416 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2416.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2416 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2416"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2023-478AA17FA2 vom 2023-09-26",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2023-478aa17fa2"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2023-8CC61C8B14 vom 2023-09-26",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2023-8cc61c8b14"
      },
      {
        "category": "external",
        "summary": "pgAdmin 4 v7.7 Release vom 2023-09-21",
        "url": "http://www.pgadmin.org/news/#90"
      }
    ],
    "source_lang": "en-US",
    "title": "pgAdmin: Schwachstelle erm\u00f6glicht Ausf\u00fchrung von Kommandos",
    "tracking": {
      "current_release_date": "2023-09-26T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:58:44.031+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-2416",
      "initial_release_date": "2023-09-20T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-09-20T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2023-09-26T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Fedora aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Fedora Linux",
            "product": {
              "name": "Fedora Linux",
              "product_id": "74185",
              "product_identification_helper": {
                "cpe": "cpe:/o:fedoraproject:fedora:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Fedora"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source pgAdmin 4 \u003c v7.7",
            "product": {
              "name": "Open Source pgAdmin 4 \u003c v7.7",
              "product_id": "T030023",
              "product_identification_helper": {
                "cpe": "cpe:/a:pgadmin:pgadmin:4__v7.7"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-5002",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine nicht n\u00e4her beschriebene Schwachstelle in pgAdmin bez\u00fcglich der \"validate binary path API\". Ein authentisierter Angreifer kann dies aus der Ferne ausnutzen, um beliebige Kommandos auszuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "74185"
        ]
      },
      "release_date": "2023-09-20T22:00:00.000+00:00",
      "title": "CVE-2023-5002"
    }
  ]
}

GHSA-GHP8-52VX-77J4

Vulnerability from github – Published: 2023-09-22 15:30 – Updated: 2025-03-17 21:33

Summary

pgAdmin failed to properly control the server code

Details

A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.7 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.

Severity ?

6.0 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pgadmin4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-5002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-22T20:35:36Z",
    "nvd_published_at": "2023-09-22T14:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.7 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.",
  "id": "GHSA-ghp8-52vx-77j4",
  "modified": "2025-03-17T21:33:27Z",
  "published": "2023-09-22T15:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5002"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pgadmin-org/pgadmin4/issues/6763"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pgadmin-org/pgadmin4/commit/35f05e49b3632a0a674b9b36535a7fe2d93dd0c2"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239164"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pgadmin-org/pgadmin4"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pgAdmin failed to properly control the server code "
}

GSD-2023-5002

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-5002

Aliases

CVE-2023-5002

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-5002",
    "id": "GSD-2023-5002"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-5002"
      ],
      "details": "A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.",
      "id": "GSD-2023-5002",
      "modified": "2023-12-13T01:20:51.090350Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "patrick@puiterwijk.org",
        "ID": "CVE-2023-5002",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-78",
                "lang": "eng",
                "value": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2239164",
            "refsource": "MISC",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239164"
          },
          {
            "name": "https://github.com/pgadmin-org/pgadmin4/issues/6763",
            "refsource": "MISC",
            "url": "https://github.com/pgadmin-org/pgadmin4/issues/6763"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:pgadmin:pgadmin:*:*:*:*:*:postgresql:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.7",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "patrick@puiterwijk.org",
          "ID": "CVE-2023-5002"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/pgadmin-org/pgadmin4/issues/6763",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Patch"
              ],
              "url": "https://github.com/pgadmin-org/pgadmin4/issues/6763"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2239164",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Third Party Advisory"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239164"
            },
            {
              "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/",
              "refsource": "MISC",
              "tags": [
                "Mailing List"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/"
            },
            {
              "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/",
              "refsource": "MISC",
              "tags": [
                "Mailing List"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-10-26T17:59Z",
      "publishedDate": "2023-09-22T14:15Z"
    }
  }
}

CERTFR-2023-AVI-0779

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans PostgreSQL pgAdmin. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	PostgreSQL	N/A	pgAdmin 4 versions antérieures à 7.7

References

Title

Publication Time

Tags

Bulletin de sécurité PostgreSQL CVE-2023-5002 du 25 septembre 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "pgAdmin 4 versions ant\u00e9rieures \u00e0 7.7",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "PostgreSQL",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-5002",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5002"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0779",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-09-26T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans PostgreSQL pgAdmin. Elle permet\n\u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans PostgreSQL pgAdmin",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 PostgreSQL CVE-2023-5002 du 25 septembre 2023",
      "url": "https://www.postgresql.org/about/news/pgadmin-4-v77-released-2723/"
    }
  ]
}

CERTFR-2023-AVI-0779

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans PostgreSQL pgAdmin. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	PostgreSQL	N/A	pgAdmin 4 versions antérieures à 7.7

References

Title

Publication Time

Tags

Bulletin de sécurité PostgreSQL CVE-2023-5002 du 25 septembre 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "pgAdmin 4 versions ant\u00e9rieures \u00e0 7.7",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "PostgreSQL",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-5002",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5002"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0779",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-09-26T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans PostgreSQL pgAdmin. Elle permet\n\u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans PostgreSQL pgAdmin",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 PostgreSQL CVE-2023-5002 du 25 septembre 2023",
      "url": "https://www.postgresql.org/about/news/pgadmin-4-v77-released-2723/"
    }
  ]
}

FKIE_CVE-2023-5002

Vulnerability from fkie_nvd - Published: 2023-09-22 14:15 - Updated: 2025-03-17 16:43

Severity ?

6.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
patrick@puiterwijk.org	https://bugzilla.redhat.com/show_bug.cgi?id=2239164	Issue Tracking, Third Party Advisory
patrick@puiterwijk.org	https://github.com/pgadmin-org/pgadmin4/issues/6763	Issue Tracking, Patch
patrick@puiterwijk.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/	Mailing List
patrick@puiterwijk.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=2239164	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pgadmin-org/pgadmin4/issues/6763	Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/	Mailing List

Impacted products

Vendor	Product	Version
pgadmin	pgadmin_4	*
fedoraproject	fedora	37
fedoraproject	fedora	38

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pgadmin:pgadmin_4:*:*:*:*:*:postgresql:*:*",
              "matchCriteriaId": "0D507558-5430-4624-8E76-6FA8C66E48ED",
              "versionEndExcluding": "7.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
              "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en pgAdmin. Este problema ocurre cuando la API HTTP del servidor pgAdmin valida la ruta que un usuario selecciona a las utilidades externas de PostgreSQL, como pg_dump y pg_restore. Las versiones de pgAdmin anteriores a la 7.6 no pudieron controlar adecuadamente el c\u00f3digo del servidor ejecutado en esta API, lo que permiti\u00f3 a un usuario autenticado ejecutar comandos arbitrarios en el servidor."
    }
  ],
  "id": "CVE-2023-5002",
  "lastModified": "2025-03-17T16:43:52.873",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.5,
        "impactScore": 5.5,
        "source": "patrick@puiterwijk.org",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-09-22T14:15:47.213",
  "references": [
    {
      "source": "patrick@puiterwijk.org",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239164"
    },
    {
      "source": "patrick@puiterwijk.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/pgadmin-org/pgadmin4/issues/6763"
    },
    {
      "source": "patrick@puiterwijk.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/"
    },
    {
      "source": "patrick@puiterwijk.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239164"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/pgadmin-org/pgadmin4/issues/6763"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/"
    }
  ],
  "sourceIdentifier": "patrick@puiterwijk.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "patrick@puiterwijk.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2024-02178

Vulnerability from cnvd - Published: 2024-01-12

Title

pgAdmin命令执行漏洞

Description

pgAdmin是一个用于开源数据库PostgreSQL的开源管理和开发平台。 pgAdmin存在命令执行漏洞，该漏洞源于无法正确控制在此API上执行的服务器代码，经过身份验证的攻击者可利用该漏洞在服务器上运行任意命令。

Severity

中

Patch Name

pgAdmin命令执行漏洞的补丁

Patch Description

pgAdmin是一个用于开源数据库PostgreSQL的开源管理和开发平台。 pgAdmin存在命令执行漏洞，该漏洞源于无法正确控制在此API上执行的服务器代码，经过身份验证的攻击者可利用该漏洞在服务器上运行任意命令。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/pgadmin-org/pgadmin4/issues/6763

Reference

https://nvd.nist.gov/vuln/detail/CVE-2023-5002

Impacted products

Name
pgAdmin pgAdmin <7.6

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-5002",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-5002"
    }
  },
  "description": "pgAdmin\u662f\u4e00\u4e2a\u7528\u4e8e\u5f00\u6e90\u6570\u636e\u5e93PostgreSQL\u7684\u5f00\u6e90\u7ba1\u7406\u548c\u5f00\u53d1\u5e73\u53f0\u3002\n\npgAdmin\u5b58\u5728\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u65e0\u6cd5\u6b63\u786e\u63a7\u5236\u5728\u6b64API\u4e0a\u6267\u884c\u7684\u670d\u52a1\u5668\u4ee3\u7801\uff0c\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u670d\u52a1\u5668\u4e0a\u8fd0\u884c\u4efb\u610f\u547d\u4ee4\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/pgadmin-org/pgadmin4/issues/6763",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-02178",
  "openTime": "2024-01-12",
  "patchDescription": "pgAdmin\u662f\u4e00\u4e2a\u7528\u4e8e\u5f00\u6e90\u6570\u636e\u5e93PostgreSQL\u7684\u5f00\u6e90\u7ba1\u7406\u548c\u5f00\u53d1\u5e73\u53f0\u3002\r\n\r\npgAdmin\u5b58\u5728\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u65e0\u6cd5\u6b63\u786e\u63a7\u5236\u5728\u6b64API\u4e0a\u6267\u884c\u7684\u670d\u52a1\u5668\u4ee3\u7801\uff0c\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u670d\u52a1\u5668\u4e0a\u8fd0\u884c\u4efb\u610f\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "pgAdmin\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "pgAdmin pgAdmin \u003c7.6"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-5002",
  "serverity": "\u4e2d",
  "submitTime": "2023-09-26",
  "title": "pgAdmin\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e"
}

OPENSUSE-SU-2024:13379-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

pgadmin4-7.8-1.1 on GA media

Notes

Title of the patch

pgadmin4-7.8-1.1 on GA media

Description of the patch

These are all security issues fixed in the pgadmin4-7.8-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-13379

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "pgadmin4-7.8-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the pgadmin4-7.8-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13379",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13379-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-5002 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-5002/"
      }
    ],
    "title": "pgadmin4-7.8-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13379-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "pgadmin4-7.8-1.1.aarch64",
                "product": {
                  "name": "pgadmin4-7.8-1.1.aarch64",
                  "product_id": "pgadmin4-7.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "pgadmin4-desktop-7.8-1.1.aarch64",
                "product": {
                  "name": "pgadmin4-desktop-7.8-1.1.aarch64",
                  "product_id": "pgadmin4-desktop-7.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "pgadmin4-doc-7.8-1.1.aarch64",
                "product": {
                  "name": "pgadmin4-doc-7.8-1.1.aarch64",
                  "product_id": "pgadmin4-doc-7.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "pgadmin4-web-uwsgi-7.8-1.1.aarch64",
                "product": {
                  "name": "pgadmin4-web-uwsgi-7.8-1.1.aarch64",
                  "product_id": "pgadmin4-web-uwsgi-7.8-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "pgadmin4-7.8-1.1.ppc64le",
                "product": {
                  "name": "pgadmin4-7.8-1.1.ppc64le",
                  "product_id": "pgadmin4-7.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "pgadmin4-desktop-7.8-1.1.ppc64le",
                "product": {
                  "name": "pgadmin4-desktop-7.8-1.1.ppc64le",
                  "product_id": "pgadmin4-desktop-7.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "pgadmin4-doc-7.8-1.1.ppc64le",
                "product": {
                  "name": "pgadmin4-doc-7.8-1.1.ppc64le",
                  "product_id": "pgadmin4-doc-7.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "pgadmin4-web-uwsgi-7.8-1.1.ppc64le",
                "product": {
                  "name": "pgadmin4-web-uwsgi-7.8-1.1.ppc64le",
                  "product_id": "pgadmin4-web-uwsgi-7.8-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "pgadmin4-7.8-1.1.s390x",
                "product": {
                  "name": "pgadmin4-7.8-1.1.s390x",
                  "product_id": "pgadmin4-7.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "pgadmin4-desktop-7.8-1.1.s390x",
                "product": {
                  "name": "pgadmin4-desktop-7.8-1.1.s390x",
                  "product_id": "pgadmin4-desktop-7.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "pgadmin4-doc-7.8-1.1.s390x",
                "product": {
                  "name": "pgadmin4-doc-7.8-1.1.s390x",
                  "product_id": "pgadmin4-doc-7.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "pgadmin4-web-uwsgi-7.8-1.1.s390x",
                "product": {
                  "name": "pgadmin4-web-uwsgi-7.8-1.1.s390x",
                  "product_id": "pgadmin4-web-uwsgi-7.8-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "pgadmin4-7.8-1.1.x86_64",
                "product": {
                  "name": "pgadmin4-7.8-1.1.x86_64",
                  "product_id": "pgadmin4-7.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "pgadmin4-desktop-7.8-1.1.x86_64",
                "product": {
                  "name": "pgadmin4-desktop-7.8-1.1.x86_64",
                  "product_id": "pgadmin4-desktop-7.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "pgadmin4-doc-7.8-1.1.x86_64",
                "product": {
                  "name": "pgadmin4-doc-7.8-1.1.x86_64",
                  "product_id": "pgadmin4-doc-7.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "pgadmin4-web-uwsgi-7.8-1.1.x86_64",
                "product": {
                  "name": "pgadmin4-web-uwsgi-7.8-1.1.x86_64",
                  "product_id": "pgadmin4-web-uwsgi-7.8-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-7.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-7.8-1.1.aarch64"
        },
        "product_reference": "pgadmin4-7.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-7.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-7.8-1.1.ppc64le"
        },
        "product_reference": "pgadmin4-7.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-7.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-7.8-1.1.s390x"
        },
        "product_reference": "pgadmin4-7.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-7.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-7.8-1.1.x86_64"
        },
        "product_reference": "pgadmin4-7.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-desktop-7.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.aarch64"
        },
        "product_reference": "pgadmin4-desktop-7.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-desktop-7.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.ppc64le"
        },
        "product_reference": "pgadmin4-desktop-7.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-desktop-7.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.s390x"
        },
        "product_reference": "pgadmin4-desktop-7.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-desktop-7.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.x86_64"
        },
        "product_reference": "pgadmin4-desktop-7.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-doc-7.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.aarch64"
        },
        "product_reference": "pgadmin4-doc-7.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-doc-7.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.ppc64le"
        },
        "product_reference": "pgadmin4-doc-7.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-doc-7.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.s390x"
        },
        "product_reference": "pgadmin4-doc-7.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-doc-7.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.x86_64"
        },
        "product_reference": "pgadmin4-doc-7.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-web-uwsgi-7.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.aarch64"
        },
        "product_reference": "pgadmin4-web-uwsgi-7.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-web-uwsgi-7.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.ppc64le"
        },
        "product_reference": "pgadmin4-web-uwsgi-7.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-web-uwsgi-7.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.s390x"
        },
        "product_reference": "pgadmin4-web-uwsgi-7.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pgadmin4-web-uwsgi-7.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.x86_64"
        },
        "product_reference": "pgadmin4-web-uwsgi-7.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-5002",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-5002"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:pgadmin4-7.8-1.1.aarch64",
          "openSUSE Tumbleweed:pgadmin4-7.8-1.1.ppc64le",
          "openSUSE Tumbleweed:pgadmin4-7.8-1.1.s390x",
          "openSUSE Tumbleweed:pgadmin4-7.8-1.1.x86_64",
          "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.aarch64",
          "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.ppc64le",
          "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.s390x",
          "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.x86_64",
          "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.aarch64",
          "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.ppc64le",
          "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.s390x",
          "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.x86_64",
          "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.aarch64",
          "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.ppc64le",
          "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.s390x",
          "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-5002",
          "url": "https://www.suse.com/security/cve/CVE-2023-5002"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1215603 for CVE-2023-5002",
          "url": "https://bugzilla.suse.com/1215603"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:pgadmin4-7.8-1.1.aarch64",
            "openSUSE Tumbleweed:pgadmin4-7.8-1.1.ppc64le",
            "openSUSE Tumbleweed:pgadmin4-7.8-1.1.s390x",
            "openSUSE Tumbleweed:pgadmin4-7.8-1.1.x86_64",
            "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.aarch64",
            "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.ppc64le",
            "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.s390x",
            "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.x86_64",
            "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.aarch64",
            "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.ppc64le",
            "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.s390x",
            "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.x86_64",
            "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.aarch64",
            "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.ppc64le",
            "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.s390x",
            "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:pgadmin4-7.8-1.1.aarch64",
            "openSUSE Tumbleweed:pgadmin4-7.8-1.1.ppc64le",
            "openSUSE Tumbleweed:pgadmin4-7.8-1.1.s390x",
            "openSUSE Tumbleweed:pgadmin4-7.8-1.1.x86_64",
            "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.aarch64",
            "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.ppc64le",
            "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.s390x",
            "openSUSE Tumbleweed:pgadmin4-desktop-7.8-1.1.x86_64",
            "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.aarch64",
            "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.ppc64le",
            "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.s390x",
            "openSUSE Tumbleweed:pgadmin4-doc-7.8-1.1.x86_64",
            "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.aarch64",
            "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.ppc64le",
            "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.s390x",
            "openSUSE Tumbleweed:pgadmin4-web-uwsgi-7.8-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-5002"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-5002 (GCVE-0-2023-5002)

Solution

Solution

Tags

Sightings

Nomenclature