Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-9014Insufficiently Protected Credentials in Pgadmin 4

CWE-522Insufficiently Protected Credentials6 documents6 sources
Severity
6.5MEDIUMNVD
CNA9.9VulnCheck9.9
EPSS
92.9%
top 0.23%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Pgadmin.org Pgadmin 4Pgadmin 4
Timeline
PublishedSep 23

Description

pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDpgadmin/pgadmin_4< 8.12
CVEListV5pgadmin.org/pgadmin_4< 8.12

🔴Vulnerability Details

4
OSV
OAuth2 client ID and secret exposed through the web browser2024-09-23
CVEList
OAuth2 client id and secret exposed through the web browser in pgAdmin 42024-09-23
GHSA
OAuth2 client ID and secret exposed through the web browser2024-09-23
VulnCheck
pgAdmin 4 OAuth2 Authentication Bypass Vulnerability2024

💥Exploits & PoCs

1
Nuclei
pgAdmin 4 - Authentication Bypass
CVE-2024-9014 — Insufficiently Protected Credentials | cvebase