CVE-2023-5002 — OS Command Injection in 4

CWE-78 — OS Command Injection4 documents4 sources

Severity

8.8HIGHNVD

CNA6.0

EPSS

27.2%

top 3.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pgadmin 4 Fedoraproject Fedora

Timeline

PublishedSep 22

Description

A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDpgadmin/pgadmin_4< 7.7

Also affects: Fedora 37, 38

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

pgAdmin failed to properly control the server code↗2023-09-22

▶

OSV

pgAdmin failed to properly control the server code↗2023-09-22

▶

CVEList

Pgadmin4: remote code execution by an authenticated user↗2023-09-22

▶