CVE-2023-5002 — pgAdmin failed to properly control the server code

Description

A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.7 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.

How to fix CVE-2023-5002

To remediate CVE-2023-5002, upgrade the affected package to a fixed version below.

—upgrade to 7.7 or later

Is CVE-2023-5002 being exploited?

Moderate — EPSS is 23.8%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 7.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.0	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-5002
PATCHgithub.com/pgadmin-org/pgadmin4
WEBbugzilla.redhat.com/show_bug.cgi?id=2239164
WEBgithub.com/pgadmin-org/pgadmin4/commit/35f05e49b3632a0a674b9b36535a7fe2d93dd0c2
WEB