Remote code execution by an authenticated user
CVE-2023-5002

8.8HIGH

Key Information:

Vendor: Fedora
Status: pgadmin4; Fedora
Vendor: CVE Published:; 22 September 2023

What is CVE-2023-5002?

A security flaw in pgAdmin allows authenticated users to exploit the server HTTP API to execute arbitrary commands. This vulnerability arises from improper path validation for external PostgreSQL utilities such as pg_dump and pg_restore. As a result, versions of pgAdmin prior to 7.6 are susceptible to unauthorized command execution on the server, posing significant security risks for database integrity and confidentiality.

Affected Version(s)

pgadmin4 7.7

References

https://bugzilla.redhat.com/show_bug.cgi?id=2239164

issue-trackingx_refsource_REDHAT

https://github.com/pgadmin-org/pgadmin4/issues/6763

https://lists.fedoraproject.org/archives/list/package-ann...

EPSS Score

17% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 22, 2023
Vulnerability Reserved
Sep 15, 2023

Fedora

What is CVE-2023-5002?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline