Bug 1223867 (CVE-2024-4215)

Summary: VUL-0: CVE-2024-4215: pgadmin4: multi-factor authentication bypass
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Antonio Larrosa <alarrosa>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: alarrosa, camila.matos, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/404188/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-4215:8.5:(AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-03 14:44:57 UTC 
pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitimate account’s username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries, regardless of the account’s MFA enrollment status.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4215
https://www.cve.org/CVERecord?id=CVE-2024-4215
https://github.com/pgadmin-org/pgadmin4/issues/7425
https://bugzilla.redhat.com/show_bug.cgi?id=2278850
Comment 2 Camila Camargo de Matos 2024-05-03 14:46:17 UTC 
The upstream patch seems to be available at: https://github.com/pgadmin-org/pgadmin4/commit/f4761f55f7cf6d56d6c5129f921393b0b47fd976
Comment 10 Maintenance Automation 2024-07-02 12:30:28 UTC 
SUSE-SU-2024:2260-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1223867, 1223868
CVE References: CVE-2024-4215, CVE-2024-4216
Maintenance Incident: [SUSE:Maintenance:34492](https://smelt.suse.de/incident/34492/)
Sources used:
Python 3 Module 15-SP6 (src):
 pgadmin4-8.5-150600.3.3.1
openSUSE Leap 15.6 (src):
 pgadmin4-8.5-150600.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.