CRITICAL🇵🇱 Wersja polska

CVE-2024-2044

CVSS 9.9v3.1pub. 2024-03-07upd. 2025-09-19

pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.

🤖 AI Analysis
How it works

During user session deserialization, the application code does not properly verify paths, resulting in a path traversal vulnerability (CWE-31). On Windows systems, an unauthenticated attacker can point to a remote pickle object and cause it to be deserialized by the server, thereby achieving code execution. On POSIX/Linux systems, an authenticated attacker can upload a crafted pickle object to the server and then force the application to deserialize it, which also leads to RCE. The Python pickle mechanism is inherently unsafe — deserialization of untrusted data allows arbitrary code execution in the context of the server process.

Impact

An attacker can obtain full code execution on the server (RCE) in the context of the pgAdmin process, which in practice means the ability to take control of the server, steal data, and perform further lateral movement in the network.

Mitigation & patch

pgAdmin 4 should be updated to a version newer than 8.3, in which the bug was fixed. Details regarding the patch are available in the vendor's references (GitHub pgadmin-org/pgadmin4 issue #7258) and Fedora Package Announce communications. Until an update is applied, consider restricting access to the pgAdmin interface exclusively to trusted networks or IP addresses, and on Windows systems — block outgoing network connections from the pgAdmin process.

Who is affected

pgAdmin 4 versions 8.3 and earlier (pgadmin-org/pgadmin4); affects installations on Windows and POSIX/Linux systems. The vulnerability also affects pgAdmin packages available in Fedora Linux.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Fedora Project Fedora

    OS
    Fedoraproject
    40
  • Pgadmin 4

    APP
    Pgadmin
    < 8.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth BypassDeserialization
CWE
References

Related vulnerabilities

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit

CVE-2024-5274CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML

CVE-2024-4947CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Type Confusion w silniku V8 Chrome — zdalne wykonanie kodu (RCE)

CVE-2024-4671CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Use-after-free w Google Chrome Visuals umożliwiający ucieczkę z sandbox

CVE-2023-6345CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Integer overflow w Skia w Google Chrome — sandbox escape