Bug 1222390 (CVE-2024-3116)

Summary:	VUL-0: CVE-2024-3116: pgadmin4: pgadmin: remote code execution via validate binary path API
Product:	[Novell Products] SUSE Security Incidents	Reporter:	SMASH SMASH <smash_bz>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Critical
Priority:	P3 - Medium	CC:	alarrosa, andrea.mattiazzo, camila.matos
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/400382/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-3116:9.9:(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2024-04-05 17:13:42 UTC

pgAdmin <= 8.4 is affected by a  Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and the security of the underlying data.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-3116
https://github.com/pgadmin-org/pgadmin4/issues/7326
https://www.cve.org/CVERecord?id=CVE-2024-3116
https://gist.github.com/aelmokhtar/689a8be7e3bd535ec01992d8ec7b2b98
https://bugzilla.redhat.com/show_bug.cgi?id=2273510

Comment 2 Camila Camargo de Matos 2024-04-05 17:21:12 UTC

Upstream seems to have patched this in https://github.com/pgadmin-org/pgadmin4/commit/fbbbfe22dd468bcfef1e1f833ec32289a6e56a8b.

Other references:
- https://gist.github.com/aelmokhtar/689a8be7e3bd535ec01992d8ec7b2b98
- https://ayoubmokhtar.com/post/remote_code_execution_pgadmin_8.4-cve-2024-3116/
- https://github.com/pgadmin-org/pgadmin4/issues/7326

Comment 3 Camila Camargo de Matos 2024-04-05 21:11:33 UTC

As per the write-up in [0], it seems like the function that ultimately leads to the RCE is a function called 'get_binary_path_versions' (this is the function that actually executes the supposed malicious code related to the unverified user input. The lack of user input validation happens in other locations in the code). This function seems to have been introduced with commit 35f05e49 [1], which is the fix for CVE-2023-5002 [2][3]. This means that it is possible that versions prior to 7.7 are not affected.

[0] https://ayoubmokhtar.com/post/remote_code_execution_pgadmin_8.4-cve-2024-3116/
[1] https://github.com/pgadmin-org/pgadmin4/commit/35f05e49b3632a0a674b9b36535a7fe2d93dd0c2
[2] https://www.suse.com/security/cve/CVE-2023-5002.html
[3] https://github.com/pgadmin-org/pgadmin4/commit/35f05e49b3632a0a674b9b36535a7fe2d93dd0c2