CVE-2024-2044: pgAdmin Remote Code Execution Vulnerability

A recently patched vulnerability (CVE-2024-2044) in pgAdmin, the widely-used PostgreSQL administration tool, highlights the ever-present risks of unsafe data deserialization and insufficient input validation. This flaw, if left unaddressed, could have enabled remote code execution for authenticated attackers.

pgAdmin manages user sessions by storing them as special files on your computer (called “pickle objects”). Every time you interact with pgAdmin, it uses a cookie named ‘pga4_session’ to locate and load the right session file. The ‘pga4_session’ cookie is divided into two parts. The first part is your unique session ID, and the second part serves as a security check.

|The vulnerability lies in versions of pgAdmin prior to 8.4 where a method loads session files by concatenating the sessions folder – located inside the pgAdmin 4 DATA_DIR – with the session ID. Precisely, the two values are concatenated using the [‘os.path.join’] function. It does not set a trusted base-path which should not be escaped,”  Aditya Toshniwal explains.

An attacker could trick pgAdmin into loading a malicious file from an unauthorized location. Successful exploitation could have granted attackers the ability to execute code with pgAdmin’s privileges, potentially leading to database compromise, data theft, or system-wide infiltration. CVE-2024-2044 doesn’t impact users running pgAdmin in desktop mode.

Administrators should immediately upgrade to pgAdmin 4 v8.4 or later. The patch likely enforces stricter input validation and path construction, mitigating the risk. This vulnerability reinforces the principles of input sanitization and secure data handling. All external inputs must be treated with suspicion and rigorously validated.

Update: 

On March 8, the technical details and a proof-of-concept for this flaw have been published.