CVE-2022-4223

Name of the Vulnerable Software and Affected Versions pgAdmin versions prior to 6.17

Description The pgAdmin server includes an HTTP API intended to validate the path a user selects to external PostgreSQL utilities such as pg dump and pg restore. This API is used to determine the PostgreSQL version by executing the utility. However, versions of pgAdmin prior to 6.17 failed to properly secure this API, allowing an unauthenticated user to call it with a path of their choosing, such as a UNC path to a server they control on a Windows machine. This could cause an appropriately named executable in the target path to be executed by the pgAdmin server.

Recommendations For versions prior to 6.17, update to version 6.17 or later to resolve the issue. As a temporary workaround, consider restricting access to the HTTP API to minimize the risk of exploitation.