Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1yajk4LWNyZjQtZzY5d84AA51E

pgAdmin 4 vulnerable to Unsafe Deserialization and Remote Code Execution by an Authenticated user

pgAdmin prior to version 8.4 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them and gain code execution.

Permalink: https://github.com/advisories/GHSA-rj98-crf4-g69w
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yajk4LWNyZjQtZzY5d84AA51E
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 9 months ago
Updated: 4 months ago


CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Identifiers: GHSA-rj98-crf4-g69w, CVE-2024-2044
References: Repository: https://github.com/pgadmin-org/pgadmin4
Blast Radius: 17.1

Affected Packages

pypi:pgAdmin4
Dependent packages: 1
Dependent repositories: 51
Downloads: 10,374 last month
Affected Version Ranges: < 8.4
Fixed in: 8.4
All affected versions:
All unaffected versions: