Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

[GHSA-rj98-crf4-g69w] pgAdmin 4 vulnerable to Unsafe Deserialization and Remote Code Execution by an Authenticated user #3950

Conversation

TheZ3ro
Copy link

@TheZ3ro TheZ3ro commented Mar 9, 2024

Updates

  • Affected products
  • CVSS
  • Description
  • References
  • Severity

Comments
The full advisory for the vulnerability is now public:
https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/

@github-actions github-actions bot changed the base branch from main to TheZ3ro/advisory-improvement-3950 March 9, 2024 19:24
@shelbyc
Copy link
Contributor

shelbyc commented Mar 11, 2024

Hi @TheZ3ro, thank you for alerting us to the publication of the vendor report. If you haven't already, make sure to contact PostgreSQL to have the report added to the list of reference links in the CVE record. Thank you as well for some clarified wording to use in the advisory. The contribution is accepted and you have a credit because of these changes.

Before making any changes to the CVSS, however, I have a question about the attack complexity values and the high vs. low confidentiality, integrity, and availability values. It is my understanding that deserialization vulnerabilities usually have high impact on confidentiality, integrity, and availability, but the CVE Numbering Authority assessed low impact to all three. Additionally, you have attack complexity set to low while the CNA set it to high. How did you reach a different conclusion about these variables?

@advisory-database advisory-database bot merged commit 6adc895 into TheZ3ro/advisory-improvement-3950 Mar 11, 2024
2 checks passed
@advisory-database advisory-database bot deleted the TheZ3ro-GHSA-rj98-crf4-g69w branch March 11, 2024 14:26
@advisory-database
Copy link
Contributor

Hi @TheZ3ro! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@TheZ3ro
Copy link
Author

TheZ3ro commented Mar 11, 2024

Hi @shelbyc!
Thanks for the prompt reply and the in depth analysis.

Yes, we got in touch with PostgreSQL CNA (the complete interaction is described in the advisory Disclosure Timeline) but after their CVE publication we never got a response. We proposed to them the same CVSS score as this PR but apparently they refused it and published the current one without giving us a rationale.

Our rationale follows:

  • attack complexity is set to low because an attacker can expect repeatable success when exploiting the vulnerability and there are no mitigations or conditions that prevents this in the default pgAdmin configuration.
  • confidentiality, integrity, availability are set to high because an attacker can deserialize arbitrary Python objects (eg, os.system) and gain code execution on the host. From there they can gain administrative access to pgAdmin software, and read/write/delete all the data stored in the pgAdmin software (Vulnerable System Impact). Moreover they can also access(depending on privileges) all the data of the PostgreSQL databases linked and managed inside pgAdmin (Subsequent System Impact).

Hope it is clear, thanks.

@shelbyc
Copy link
Contributor

shelbyc commented Mar 11, 2024

@TheZ3ro Thanks for telling me more about your thought process when determining CVSS! After reading pgadmin-org/pgadmin4#7258 and https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce, I agree your severity assessment is in line with CVSS guidelines and have adjusted the advisory to include AC:L and C:H/I:H/A:H.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants