PT-2022-13558 · Pgadmin 4+2 · Pgadmin 4+2

Sandipan Roy

Published

2022-03-16

Updated

2025-03-17

CVE-2022-0959

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions pgAdmin 4 (affected versions not specified)

Description A malicious, but authorized and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write. This is possible due to the lack of validation of the upload path in the URI to which upload requests are made, allowing path traversal techniques to be used to store files outside of the storage directory.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Unrestricted File Upload

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434CWE-22

Related Identifiers

CVE-2022-0959

GHSA-CR8C-972V-RMP3

MGASA-2022-0257

OPENSUSE-SU-2022_1541-1

OPENSUSE-SU-2024:13667-1

SUSE-SU-2022:1541-1

SUSE-SU-2022_1541-1

Affected Products

Pgadmin

Suse

Pgadmin 4

PT-2022-13558 · Pgadmin 4+2 · Pgadmin 4+2

CVE-2022-0959

Weakness Enumeration

Related Identifiers

Affected Products

References · 18