Bug 1221172 (CVE-2024-2044)

Summary: VUL-0: CVE-2024-2044: pgadmin4: Unsafe Deserialization and Remote Code Execution by an Authenticated user
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gianluca.gabrielli, rfrohl
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/396628/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-2044:8.8:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-08 11:49:28 UTC 
pgAdmin 4 uses a file-based session management approach. The session files are saved on disk as pickle objects. When a user performs a request, the value of the session cookie 'pga4_session' is used to retrieve the file, then its content is deserialised, and finally its signature verified.
The cookie value is split in 2 parts at the first '!' character. The first part is the session ID (sid), while the second is the session digest.
 The vulnerability lies in versions of pgAdmin prior to 8.4 where a method loads session files by concatenating the sessions folder - located inside the pgAdmin 4 DATA_DIR - with the session ID. Precisely, the two values are concatenated using the ['os.path.join'] function. It does not set a trusted base-path which should not be escaped

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-2044
https://www.cve.org/CVERecord?id=CVE-2024-2044
https://github.com/pgadmin-org/pgadmin4/issues/7258
https://bugzilla.redhat.com/show_bug.cgi?id=2268535
Comment 5 Antonio Larrosa 2024-04-09 18:04:02 UTC 
I submitted https://build.suse.de/request/show/325880 to SP3:Update
and https://build.suse.de/request/show/325881 to SP1:Update . Note that in the SP1 case it includes other fixes that I submitted years ago and that seem to not have been released yet.

I also submitted an update to 8.5 (which already includes the fix for this issue) to Factory and SP6.
Comment 7 Maintenance Automation 2024-04-18 16:31:16 UTC 
SUSE-SU-2024:1340-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1221172
CVE References: CVE-2024-2044
Maintenance Incident: [SUSE:Maintenance:33332](https://smelt.suse.de/incident/33332/)
Sources used:
openSUSE Leap 15.3 (src):
 pgadmin4-4.30-150300.3.12.1
openSUSE Leap 15.5 (src):
 pgadmin4-4.30-150300.3.12.1
Server Applications Module 15-SP5 (src):
 pgadmin4-4.30-150300.3.12.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 pgadmin4-4.30-150300.3.12.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 pgadmin4-4.30-150300.3.12.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 pgadmin4-4.30-150300.3.12.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 pgadmin4-4.30-150300.3.12.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 pgadmin4-4.30-150300.3.12.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 pgadmin4-4.30-150300.3.12.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 pgadmin4-4.30-150300.3.12.1
SUSE Manager Proxy 4.3 (src):
 pgadmin4-4.30-150300.3.12.1
SUSE Manager Retail Branch Server 4.3 (src):
 pgadmin4-4.30-150300.3.12.1
SUSE Manager Server 4.3 (src):
 pgadmin4-4.30-150300.3.12.1
SUSE Enterprise Storage 7.1 (src):
 pgadmin4-4.30-150300.3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.