PT-2023-5414 · Pgadmin+1 · Pgadmin+1

Stefan Grönke

Published

2023-09-22

Updated

2025-03-17

CVE-2023-5002

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions pgAdmin versions prior to 7.7

Description The issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg dump and pg restore. This allows an authenticated user to run arbitrary commands on the server due to insufficient input validation. Approximately 5,294 results are affected, according to ZoomEyeDork.

Recommendations For pgAdmin versions prior to 7.7, update to version 7.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the pgAdmin server HTTP API to minimize the risk of exploitation. Avoid using the API endpoint that validates the path to external PostgreSQL utilities until the issue is resolved.

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-78

Related Identifiers

BDU:2023-06044

CVE-2023-5002

GHSA-GHP8-52VX-77J4

OPENSUSE-SU-2024:13379-1

Affected Products

Pgadmin

Red Os

PT-2023-5414 · Pgadmin+1 · Pgadmin+1

CVE-2023-5002

Weakness Enumeration

Related Identifiers

Affected Products

References · 25