pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.
References
Configurations
No configuration.
History
21 Nov 2024, 09:08
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/pgadmin-org/pgadmin4/issues/7258 - | |
References | () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/ - | |
References | () https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/ - |
01 Aug 2024, 13:49
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-31 |
23 Mar 2024, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Mar 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.9 |
References |
|
|
Summary | (en) pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution. |
08 Mar 2024, 14:02
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
07 Mar 2024, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-03-07 21:15
Updated : 2024-11-21 09:08
NVD link : CVE-2024-2044
Mitre link : CVE-2024-2044
CVE.ORG link : CVE-2024-2044
JSON object : View
Products Affected
No product.
CWE
CWE-31
Path Traversal: 'dir\..\..\filename'