cbcvebase.
CVE-2022-4223
published 2022-12-13

CVE-2022-4223: The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities such as pg_dump and…

PriorityP278high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
79.93%
99.6th percentile
The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. The utility is executed by the server to determine what PostgreSQL version it is from. Versions of pgAdmin prior to 6.17 failed to properly secure this API, which could allow an unauthenticated user to call it with a path of their choosing, such as a UNC path to a server they control on a Windows machine. This would cause an appropriately named executable in the target path to be executed by the pgAdmin server.

Affected

2 ranges
VendorProductVersion rangeFixed in
fedoraprojectfedora
pgadminpgadmin_4< 6.176.17

Detection & IOCsextracted from sources · hover to see the quote

url/misc/validate_binary_path
command{"utility_path":"/tmp/$(id)"}
otherX-pgA-CSRFToken
  • Monitor for unauthenticated POST requests to /misc/validate_binary_path — this endpoint should require authentication and any unauthenticated access is indicative of exploitation attempts.
  • Alert on responses containing 'uid=' and 'gid=' strings in the body of /misc/validate_binary_path responses, which confirms successful command injection (RCE) via the utility_path parameter.
  • Detect payloads in the utility_path JSON field containing shell metacharacters (e.g., $(), backticks) or UNC paths (\\server\share) submitted to the validate_binary_path API.
  • On Windows, watch for pgAdmin spawning processes from UNC paths (\\<remote-server>\...) as this indicates exploitation via a UNC path to an attacker-controlled server.
  • Regex pattern for confirming RCE output in HTTP response body: uid=[0-9]+\([a-zA-Z0-9_-]+\)\s*gid=[0-9]+\([a-zA-Z0-9_-]+\)
  • ·This vulnerability only affects pgAdmin running in server mode — desktop mode users are not impacted.
  • ·Only pgAdmin versions prior to 6.17 are vulnerable; ensure detections are scoped to unpatched deployments.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.