HistoryJan 29, 2023 - 12:00 a.m.

Fedora 37 : pgadmin4 (2023-e7297a4aeb)

This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
fedora 37
prototype pollution
remote code execution

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-e7297a4aeb advisory.

  • JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later. (CVE-2022-46175)

Note that Nessus has not tested for this issue but has instead relied only on the applicationโ€™s self-reported version number.

# (C) Tenable, Inc.
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory FEDORA-2023-e7297a4aeb


if (description)
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/05");

  script_xref(name:"FEDORA", value:"2023-e7297a4aeb");

  script_name(english:"Fedora 37 : pgadmin4 (2023-e7297a4aeb)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Fedora host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the
FEDORA-2023-e7297a4aeb advisory.
FEDORA-2023-e7297a4aeb advisory.

  - JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand
    (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and
    2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute
    the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by
    `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of
    Prototype Pollution. However, polluting the prototype of a single object can have significant security
    impact for an application if the object is later used in trusted operations. This vulnerability could
    allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The
    actual impact will depend on how applications utilize the returned object and how they filter unwanted
    keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme
    cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON
    strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores
    `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this
    vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later. (CVE-2022-46175)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
  script_set_attribute(attribute:"see_also", value:"");
  script_set_attribute(attribute:"solution", value:
"Update the affected pgadmin4 package.");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-46175");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/01/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:37");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:pgadmin4");
  script_set_attribute(attribute:"generated_plugin", value:"current");

  script_family(english:"Fedora Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");



if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Fedora' >!< os_release) audit(AUDIT_OS_NOT, 'Fedora');
var os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');
os_ver = os_ver[1];
if (! preg(pattern:"^37([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 37', 'Fedora ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);

var pkgs = [
    {'reference':'pgadmin4-6.19-1.fc37', 'release':'FC37', 'rpm_spec_vers_cmp':TRUE}

var flag = 0;
foreach package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (reference && _release) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;

if (flag)
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'pgadmin4');