High
CVE-2024-2044
High
(1 user assessed)
Moderate
(1 user assessed)Unknown
Unknown
Unknown
Description
pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.
Add Assessment
Technical Analysis
pgAdmin versions <=8.3 are vulnerable to a path traversal vulnerability in the session handling logic. This can be leveraged by an attacker to load a malicious serialized object and execute Python code within the context of the application. On Linux servers, this requires the ability to write files to the target. pgAdmin has a file management component that is available by default for users. With a known username and password, a user can authenticate to pgAdmin, upload a malicious object, and trigger code execution through the path traversal vulnerability. It should be noted that CVE-2024-4215 affects a superset of pgAdmin versions and, therefore, an attacker would be able to leverage an account regardless of it’s MFA enrollment status.
When targeting Windows servers, the vulnerability can lead to code execution by using a UNC path in place of the path traversal. Insecure outbound guest access was disabled by default in Windows 10 v1709 (Redstone 3). To leverage this technique, the target would either need to be an older system, or have guest access explicitly enabled. Alternatively, Windows servers can also be exploited by using the same file management functionality provided by pgAdmin.
This vulnerability was fixed in commit 4e49d75.
CVSS V3 Severity and Metrics
General Information
Vendors
- pgadmin.org
Products
- pgAdmin 4
Metasploit Modules
References
