File-based session management vulnerability in pgAdmin 4
CVE-2024-2044

9.9CRITICAL

Key Information:

Vendor: Pgadmin.org
Status: Pgadmin 4
Vendor: CVE Published:; 7 March 2024

🔔 Create Pgadmin.org Vulnerability Alert

What is CVE-2024-2044?

pgAdmin versions up to 8.3 are vulnerable to a path traversal flaw that manifests during the deserialization of user sessions in the session handling code. On Windows servers, this vulnerability allows unauthenticated attackers to remotely load and deserialize malicious pickle objects, leading to potential code execution. In contrast, if the server operates on a POSIX/Linux platform, authenticated users can exploit the vulnerability by uploading and deserializing these objects, which can similarly result in code execution. Organizations using affected versions of pgAdmin should implement immediate mitigations to safeguard their systems.

Affected Version(s)

pgAdmin 4 0

References

https://github.com/pgadmin-org/pgadmin4/issues/7258

issue-tracking

https://www.shielder.com/advisories/pgadmin-path-traversa...

mitigation

https://lists.fedoraproject.org/archives/list/package-ann...

EPSS Score

77% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 7, 2024
Vulnerability Reserved
Feb 29, 2024