|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2024-6238: pgadmin4: pgadmin: Insecure permissions for the installation directory | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | Antonio Larrosa <alarrosa> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P2 - High | CC: | abergmann |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/412111/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2024-6238:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
SMASH SMASH
2024-06-26 13:14:40 UTC
Looking at the changes upstream made recently related to this, the fixes seem to be the following set of changes: https://github.com/pgadmin-org/pgadmin4/commit/f7eeefa3a9e78ac08991870214bf74c882d4c0fe https://github.com/pgadmin-org/pgadmin4/commit/3d107ea618bc1f0115bc5b76bce81f36822ce8e3 https://github.com/pgadmin-org/pgadmin4/commit/95ce9e976ec3f73f1f8c59b968f0880c59848be4 https://github.com/pgadmin-org/pgadmin4/commit/227f047810fc69cd1bee1b7689d3eadb358f9aa3 (with the last one being a partial revert of the previous commit, although the commit message implies it's a full revert) After a close look at those changes (and the setup-web.sh script which we don't even install although upstream's redhat packages do), it seems they install things at /usr/pgadmin4/{bin,venv,web} which are the directories mentioned in the description of https://github.com/pgadmin-org/pgadmin4/issues/7605, but we use standard system directories (and no venv), so I'd say we're not affected by this. |