CVE-2024-2044: pgAdmin 4 vulnerable to Unsafe Deserialization and Remote Code Execution by an Authenticated user
10
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.98943%
CWE
Published
3/7/2024
Updated
8/2/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pgAdmin4 | pip | < 8.4 | 8.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from three key issues:
- Path traversal via os.path.join() in session file operations (CWE-22)
- Unsafe pickle deserialization (CWE-502)
- Lack of path sanitization (CWE-31)
The commit diff shows replacement of os.path.join() with safe_join() and added security checks. The original functions in FileBackedSessionManager directly used user-controlled session IDs in path construction without validation, allowing attackers to:
- On Windows: Reference remote SMB paths for unauthenticated RCE
- On Linux: Traverse to uploaded pickle files for authenticated RCE These functions were directly involved in the insecure path handling and deserialization chain.