CVE-2024-3116 — pgAdmin Remote Code Execution (RCE) vulnerability

Description

pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and the security of the underlying data.

How to fix CVE-2024-3116

To remediate CVE-2024-3116, upgrade the affected package to a fixed version below.

—upgrade to 8.5 or later

Is CVE-2024-3116 being exploited?

Likely — EPSS is 90.7%, placing CVE-2024-3116 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 8.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-3116
PATCHgithub.com/pgadmin-org/pgadmin4
WEBgist.github.com/aelmokhtar/689a8be7e3bd535ec01992d8ec7b2b98
WEBgithub.com/pgadmin-org/pgadmin4/commit/fbbbfe22dd468bcfef1e1f833ec32289a6e56a8b