Bugzilla – Bug 1227080
VUL-0: CVE-2024-6238: pgadmin4: pgadmin: Insecure permissions for the installation directory
Last modified: 2024-06-27 07:57:21 UTC
pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can gain unauthorised access to the installation directory on the Debian or RHEL 8 platforms. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-6238 https://www.cve.org/CVERecord?id=CVE-2024-6238 https://github.com/pgadmin-org/pgadmin4/issues/7605 https://bugzilla.redhat.com/show_bug.cgi?id=2294249
Looking at the changes upstream made recently related to this, the fixes seem to be the following set of changes: https://github.com/pgadmin-org/pgadmin4/commit/f7eeefa3a9e78ac08991870214bf74c882d4c0fe https://github.com/pgadmin-org/pgadmin4/commit/3d107ea618bc1f0115bc5b76bce81f36822ce8e3 https://github.com/pgadmin-org/pgadmin4/commit/95ce9e976ec3f73f1f8c59b968f0880c59848be4 https://github.com/pgadmin-org/pgadmin4/commit/227f047810fc69cd1bee1b7689d3eadb358f9aa3 (with the last one being a partial revert of the previous commit, although the commit message implies it's a full revert) After a close look at those changes (and the setup-web.sh script which we don't even install although upstream's redhat packages do), it seems they install things at /usr/pgadmin4/{bin,venv,web} which are the directories mentioned in the description of https://github.com/pgadmin-org/pgadmin4/issues/7605, but we use standard system directories (and no venv), so I'd say we're not affected by this.