[GHSA-rj98-crf4-g69w] pgAdmin 4 vulnerable to Unsafe Deserialization and Remote Code Execution by an Authenticated user

[TheZ3ro]

Updates

• Affected products
• CVSS
• Description
• References
• Severity

Comments
The full advisory for the vulnerability is now public:
https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/

[shelbyc]

Hi @TheZ3ro, thank you for alerting us to the publication of the vendor report. If you haven't already, make sure to contact PostgreSQL to have the report added to the list of reference links in the CVE record. Thank you as well for some clarified wording to use in the advisory. The contribution is accepted and you have a credit because of these changes.

Before making any changes to the CVSS, however, I have a question about the attack complexity values and the high vs. low confidentiality, integrity, and availability values. It is my understanding that deserialization vulnerabilities usually have high impact on confidentiality, integrity, and availability, but the CVE Numbering Authority assessed low impact to all three. Additionally, you have attack complexity set to low while the CNA set it to high. How did you reach a different conclusion about these variables?

[advisory-database]

Hi @TheZ3ro! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[TheZ3ro]

Hi @shelbyc!
Thanks for the prompt reply and the in depth analysis.

Yes, we got in touch with PostgreSQL CNA (the complete interaction is described in the advisory Disclosure Timeline) but after their CVE publication we never got a response. We proposed to them the same CVSS score as this PR but apparently they refused it and published the current one without giving us a rationale.

Our rationale follows:

• attack complexity is set to low because an attacker can expect repeatable success when exploiting the vulnerability and there are no mitigations or conditions that prevents this in the default pgAdmin configuration.
• confidentiality, integrity, availability are set to high because an attacker can deserialize arbitrary Python objects (eg, os.system) and gain code execution on the host. From there they can gain administrative access to pgAdmin software, and read/write/delete all the data stored in the pgAdmin software (Vulnerable System Impact). Moreover they can also access(depending on privileges) all the data of the PostgreSQL databases linked and managed inside pgAdmin (Subsequent System Impact).

Hope it is clear, thanks.

[shelbyc]

@TheZ3ro Thanks for telling me more about your thought process when determining CVSS! After reading pgadmin-org/pgadmin4#7258 and https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce, I agree your severity assessment is in line with CVSS guidelines and have adjusted the advisory to include AC:L and C:H/I:H/A:H.