Bugzilla – Bug 1223867
VUL-0: CVE-2024-4215: pgadmin4: multi-factor authentication bypass
Last modified: 2024-07-02 12:30:28 UTC
pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitimate account’s username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries, regardless of the account’s MFA enrollment status. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4215 https://www.cve.org/CVERecord?id=CVE-2024-4215 https://github.com/pgadmin-org/pgadmin4/issues/7425 https://bugzilla.redhat.com/show_bug.cgi?id=2278850
The upstream patch seems to be available at: https://github.com/pgadmin-org/pgadmin4/commit/f4761f55f7cf6d56d6c5129f921393b0b47fd976
SUSE-SU-2024:2260-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1223867, 1223868 CVE References: CVE-2024-4215, CVE-2024-4216 Maintenance Incident: [SUSE:Maintenance:34492](https://smelt.suse.de/incident/34492/) Sources used: Python 3 Module 15-SP6 (src): pgadmin4-8.5-150600.3.3.1 openSUSE Leap 15.6 (src): pgadmin4-8.5-150600.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.