pgAdmin is vulnerable to a multi-factor authentication bypass (CWE-287) whereby an attacker with knowledge of an account’s credentials can manage files and make SQL queries regardless of whether or not the account has been configured with MFA. This vulnerability has a CVSS v3 score of 6.4 with a vector of AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Exploitation

An attacker with knowledge of a legitimate account’s username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries regardless of the account’s MFA enrollment status.

pgAdmin4 is a rewrite of the original application in Python and has evolved into pgAdmin4 version 8.5 (the latest version as of when this vulnerability was discovered). The application is written using the Flask web framework and uses common Flask patterns such as blueprints, which is a web application component that may include one or more resource handlers called “views”.

Upon normal authentication, an MFA-enabled user is granted a session without the mfa_authenticated key. pgAdmin then offers an mfa_required decorator that must be applied to individual Flask views in order to be protected. Once the username and password are validated, the session object itself is valid, meaning each view must opt into MFA authentication as opposed to being required to create a valid and authenticated session. The main view of the browser blueprint opts into MFA authentication. The /browser/ resource is the default location a newly authenticated user is redirected to. When this view is rendered by Flask, the MFA authentication status is checked and the user is prompted to enter their OTP.

If, however, the user has automated the necessary HTTP requests, there is nothing stopping them from using their authenticated session and accessing other parts of the application including the file manager and SQL editor blueprints. These two resources, along with others, only require an authenticated session, effectively ignoring the account’s MFA requirement.

Impact

An attacker is able to leverage an MFA-enabled account with only knowledge of its username and password to execute SQL queries and manage files. It should be noted that the file manager does not have full access to the root file system by default but is commonly used to store SQL related data files.

This vulnerability was fixed in pgAdmin 8.6 by commit f4761f5.