CVE-2022-0959: Path Traversal
First published: Mon Mar 14 2022(Updated: )
A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/pgadmin | <6.7 | 6.7 |
| Postgresql Pgadmin 4 | <6.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-0959?
CVE-2022-0959 is a vulnerability that allows a malicious user to manually upload files to any location that the pgAdmin operating system user account has permission to write.
Who is affected by CVE-2022-0959?
Users of pgAdmin versions up to 6.7 and PostgreSQL Pgadmin 4 are affected by CVE-2022-0959.
How can a malicious user exploit CVE-2022-0959?
A malicious, but authorized and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to upload files.
What is the severity of CVE-2022-0959?
CVE-2022-0959 has a severity rating of 6.5, which is considered medium.
How can I mitigate CVE-2022-0959?
To mitigate CVE-2022-0959, users should update pgAdmin to version 6.7 or above.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-0959
- agent/software-canonical-lookup
- agent/weakness
- agent/event
- agent/tags
- agent/trending
- vendor/postgresql
- canonical/postgresql pgadmin 4
- package-manager/redhat