Bugzilla – Bug 1222390
VUL-0: CVE-2024-3116: pgadmin4: pgadmin: remote code execution via validate binary path API
Last modified: 2024-04-19 09:05:08 UTC
pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and the security of the underlying data. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-3116 https://github.com/pgadmin-org/pgadmin4/issues/7326 https://www.cve.org/CVERecord?id=CVE-2024-3116 https://gist.github.com/aelmokhtar/689a8be7e3bd535ec01992d8ec7b2b98 https://bugzilla.redhat.com/show_bug.cgi?id=2273510
Upstream seems to have patched this in https://github.com/pgadmin-org/pgadmin4/commit/fbbbfe22dd468bcfef1e1f833ec32289a6e56a8b. Other references: - https://gist.github.com/aelmokhtar/689a8be7e3bd535ec01992d8ec7b2b98 - https://ayoubmokhtar.com/post/remote_code_execution_pgadmin_8.4-cve-2024-3116/ - https://github.com/pgadmin-org/pgadmin4/issues/7326
As per the write-up in [0], it seems like the function that ultimately leads to the RCE is a function called 'get_binary_path_versions' (this is the function that actually executes the supposed malicious code related to the unverified user input. The lack of user input validation happens in other locations in the code). This function seems to have been introduced with commit 35f05e49 [1], which is the fix for CVE-2023-5002 [2][3]. This means that it is possible that versions prior to 7.7 are not affected. [0] https://ayoubmokhtar.com/post/remote_code_execution_pgadmin_8.4-cve-2024-3116/ [1] https://github.com/pgadmin-org/pgadmin4/commit/35f05e49b3632a0a674b9b36535a7fe2d93dd0c2 [2] https://www.suse.com/security/cve/CVE-2023-5002.html [3] https://github.com/pgadmin-org/pgadmin4/commit/35f05e49b3632a0a674b9b36535a7fe2d93dd0c2