CVE-2023-5002
Summary
| CVE | CVE-2023-5002 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-09-22 14:15:00 UTC |
| Updated | 2023-11-07 04:23:00 UTC |
| Description | A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Fedoraproject | Fedora | 37 | All | All | All |
| Operating System | Fedoraproject | Fedora | 38 | All | All | All |
| Application | Pgadmin | Pgadmin | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| 2239164 – (CVE-2023-5002) CVE-2023-5002 pgadmin4: remote code execution by an authenticated user | MISC | bugzilla.redhat.com | |
| [SECURITY] Fedora 38 Update: pgadmin4-6.21-3.fc38 - package-announce - Fedora Mailing-Lists | MISC | lists.fedoraproject.org | |
| [SECURITY] Fedora 37 Update: pgadmin4-6.19-2.fc37 - package-announce - Fedora Mailing-Lists | MISC | lists.fedoraproject.org | |
| Remote command Execution by an Authenticated user in pgAdmin 4 · Issue #6763 · pgadmin-org/pgadmin4 · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.