Bug 1215603 (CVE-2023-5002)

Summary: VUL-0: CVE-2023-5002: pgadmin4: remote code execution by an authenticated user
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Antonio Larrosa <alarrosa>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: alarrosa, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/379593/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-5002:8.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Cathy Hu 2023-09-22 08:21:59 UTC 
CVE-2023-5002

The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. The utility is executed by the server to determine what PostgreSQL version it is from.

Versions of pgAdmin prior to 7.7 failed to properly control the server code executed on this API, which could allow an authenticated user to run arbitrary commands on the server. Users can use the commands as filenames and check for validating the path using the API. This would inject the command in the path validator and execute the command on the pgAdmin server.

This issue does not affect users running pgAdmin in desktop mode.

Reference:
https://github.com/pgadmin-org/pgadmin4/issues/6763

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5002
https://bugzilla.redhat.com/show_bug.cgi?id=2239164
Comment 1 Cathy Hu 2023-09-22 08:24:15 UTC 
Affected:
- SUSE:SLE-15-SP1:Update/pgadmin4  4.1 
- SUSE:SLE-15-SP3:Update/pgadmin4  4.30
- openSUSE:Factory/pgadmin4        7.6
Comment 3 Antonio Larrosa 2023-10-30 17:42:14 UTC 
4.1 and 4.30 are too old so they don't even include the affected API functionality.
7.6 seems to be affected but the package in Factory has not worked for a long time. pgAdmin changed the way it was build (now using nodejs) while the package was built just as before which produced a building but not working pgAdmin.

This is fixed in https://build.opensuse.org/request/show/1121161 which updates it to 7.8 and rework how pgadmin is built.