CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
53.0%
pgadmin4 is vulnerable to Path Traversal. The vulnerability is due to Insufficient Input Validation due to concatenating the sessions directory path with the session ID using the os.path.join
function, without setting a trusted base path, allowing an attacker to manipulate the session ID and traverse to unintended directories on the server.
github.com/advisories/GHSA-rj98-crf4-g69w
github.com/pgadmin-org/pgadmin4/commit/4e49d752fba72953acceeb7f4aa2e6e32d25853d
github.com/pgadmin-org/pgadmin4/issues/7258
lists.fedoraproject.org/archives/list/[email protected]/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/
www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/