CVE-2024-2044

Exploit

EPSS 81.66%
Published 07.03.2024 21:15:08
Last modified 19.09.2025 14:55:20
Source f86ef6dc-4d3a-42ad-8f28-e6d554
Teams watchlist Login
Open Login

pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.

Affected products Warnungen 0 Metrics 2 CWE 1 References 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Pgadmin ≫ Pgadmin 4 SwPlatformpostgresql Version < 8.4

Fedoraproject ≫ Fedora Version40

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	81.66%	0.991

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-31 Path Traversal: 'dir\..\..\filename'

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir\..\..\filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory.

https://github.com/pgadmin-org/pgadmin4/issues/7258

Vendor Advisory

Issue Tracking

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/

Mailing List

https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-2044

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-2044

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-2044

EUVD