cbcvebase.
CVE-2024-2044
published 2024-03-07

CVE-2024-2044: pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on…

PriorityP185critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
79.33%
99.6th percentile
pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.

Affected

3 ranges
VendorProductVersion rangeFixed in
fedoraprojectfedora
pgadmin.orgpgadmin_4< 8.48.4
pgadminpgadmin_4< 8.48.4

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/pgadmin_session_deserialization.rb
  • Monitor for path traversal patterns in pgAdmin session handling requests — an attacker supplies a crafted session identifier that traverses outside the expected session directory to load an arbitrary pickle file.
  • On Windows targets, watch for outbound SMB/UNC path connections originating from the pgAdmin process (e.g., pgAdmin reaching out to an attacker-controlled SMB server) — this is the unauthenticated exploitation technique.
  • On Linux/POSIX targets, monitor for file uploads via pgAdmin's file management plugin followed immediately by deserialization activity — the authenticated attack uploads a malicious pickle object then triggers its execution via path traversal.
  • Alert on deserialization of Python pickle objects within the pgAdmin process — successful exploitation results in arbitrary code execution within the context of the pgAdmin application.
  • On Windows, check whether the registry/policy setting for insecure outbound guest SMB access is enabled — this is required for the unauthenticated UNC-path technique on Windows 10 v1709 and later.
  • ·The unauthenticated UNC/SMB exploitation path is Windows-only; Linux/POSIX systems require valid credentials to exploit.
  • ·The authenticated file-upload exploitation technique requires pgAdmin >= 7.0; versions below 7.0 cannot be exploited via the file management plugin upload method due to plugin API changes in the 6.x series.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.