pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.
During user session deserialization, the application code does not properly verify paths, resulting in a path traversal vulnerability (CWE-31). On Windows systems, an unauthenticated attacker can point to a remote pickle object and cause it to be deserialized by the server, thereby achieving code execution. On POSIX/Linux systems, an authenticated attacker can upload a crafted pickle object to the server and then force the application to deserialize it, which also leads to RCE. The Python pickle mechanism is inherently unsafe — deserialization of untrusted data allows arbitrary code execution in the context of the server process.
An attacker can obtain full code execution on the server (RCE) in the context of the pgAdmin process, which in practice means the ability to take control of the server, steal data, and perform further lateral movement in the network.
pgAdmin 4 should be updated to a version newer than 8.3, in which the bug was fixed. Details regarding the patch are available in the vendor's references (GitHub pgadmin-org/pgadmin4 issue #7258) and Fedora Package Announce communications. Until an update is applied, consider restricting access to the pgAdmin interface exclusively to trusted networks or IP addresses, and on Windows systems — block outgoing network connections from the pgAdmin process.
pgAdmin 4 versions 8.3 and earlier (pgadmin-org/pgadmin4); affects installations on Windows and POSIX/Linux systems. The vulnerability also affects pgAdmin packages available in Fedora Linux.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HFedora Project Fedora
OSFedoraproject40Pgadmin 4
APPPgadmin< 8.4
Related vulnerabilities
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit
Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML
Type Confusion w silniku V8 Chrome — zdalne wykonanie kodu (RCE)
Use-after-free w Google Chrome Visuals umożliwiający ucieczkę z sandbox
Integer overflow w Skia w Google Chrome — sandbox escape