Headline
CVE-2023-5002: Remote command Execution by an Authenticated user in pgAdmin 4 · Issue #6763 · pgadmin-org/pgadmin4
A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.
Vulnerable versions: All prior to v7.6.
The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. The utility is executed by the server to determine what PostgreSQL version it is from.
Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, which could allow an authenticated user to run arbitrary commands on the server. Users can use the commands as filenames and check for validating the path using the API. This would inject the command in the path validator and execute the command on the pgAdmin server.
This issue does not affect users running pgAdmin in desktop mode.
The pgAdmin project thanks Stefan Grönke <[email protected]> for reporting this issue.
Related news
A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.7 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.