Miggo Logo
Miggo Vulnerability Database
CVE-2023-5002

CVE-2023-5002: pgAdmin failed to properly control the server code

6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-5002
GHSA ID
GHSA-ghp8-52vx-77j4
EPSS Score
0.94729%
CWE
CWE-78
Published
9/22/2023
Updated
3/17/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pgadmin4pip< 7.77.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper command execution patterns in two key functions:

  1. validate_binary_path directly executed user-controlled paths via subprocess.getoutput() using string formatting, making it susceptible to command injection.
  2. set_binary_path shared similar unsafe patterns before being patched. The commit diff shows both were modified to use subprocess.run() with explicit arguments lists and shell=False, indicating these were the injection vectors. The CWE-78 classification and patch's focus on command execution safety confirm these as vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in p***min. T*is issu* o**urs w**n t** p***min s*rv*r *TTP *PI v*li**t*s t** p*t* * us*r s*l**ts to *xt*rn*l Post*r*SQL utiliti*s su** *s p*_*ump *n* p*_r*stor*. V*rsions o* p***min prior to *.* **il** to prop*rly *ontrol t** s*rv*r

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *omm*n* *x**ution p*tt*rns in two k*y *un*tions: *. v*li**t*_*in*ry_p*t* *ir**tly *x**ut** us*r-*ontroll** p*t*s vi* su*pro**ss.**toutput() usin* strin* *orm*ttin*, m*kin* it sus**pti*l* to *omm*n* inj**tion. *