CVE-2023-5002: Pgadmin4: remote code execution by an authenticated user
First published: Fri Sep 15 2023(Updated: )
A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.
Credit: patrick@puiterwijk.org patrick@puiterwijk.org patrick@puiterwijk.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/pgadmin4 | <7.7 | 7.7 |
| Pgadmin Pgadmin | <7.7 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| redhat/pgadmin4 | <7.7 | 7.7 |
| <7.7 | ||
| =37 | ||
| =38 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-5002
- https://github.com/pgadmin-org/pgadmin4/issues/6763
- https://bugzilla.redhat.com/show_bug.cgi?id=2239164
- https://github.com/pgadmin-org/pgadmin4/commit/35f05e49b3632a0a674b9b36535a7fe2d93dd0c2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S24D3S2GVNGTDNE6SF2OQSOPU3H72UW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VIRTMQZEE6K7RD37ERZ2UFYFLEUXLQU3/
- https://github.com/advisories/GHSA-ghp8-52vx-77j4 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2240071
Frequently Asked Questions
What is the vulnerability ID for this flaw?
The vulnerability ID for this flaw is CVE-2023-5002.
What is the severity level of CVE-2023-5002?
CVE-2023-5002 has a severity level of high.
Which versions of pgAdmin are affected by this vulnerability?
Versions of pgAdmin prior to 7.7 are affected by this vulnerability.
What is the risk associated with this vulnerability?
The risk associated with CVE-2023-5002 is rated at 8.8 (high).
Are there any references or additional resources related to this vulnerability?
Yes, you can find more information about CVE-2023-5002 in the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-5002), [GitHub Issue](https://github.com/pgadmin-org/pgadmin4/issues/6763), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2239164)
- collector/github-advisory-latest
- alias/GHSA-ghp8-52vx-77j4
- alias/CVE-2023-5002
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/severity
- agent/title
- agent/references
- agent/remedy
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- agent/trending
- package-manager/pip
- vendor/pgadmin
- canonical/pgadmin pgadmin
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- package-manager/redhat