Cyber Resilience

CVE-2023-5002

MediumRCE

Published: 22 September 2023

Published
22 September 2023
Modified
17 March 2025
KEV Added
Patch
CVSS Score v3.1 6.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H
EPSS Score 0.2376 96.1th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-5002 is a medium-severity OS Command Injection (CWE-78) vulnerability in Fedoraproject Fedora. Its CVSS base score is 6.0 (Medium).

Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-5002 is a command injection vulnerability in pgAdmin that affects all versions prior to 7.6. The flaw lies in the server HTTP API responsible for validating user-supplied paths to external PostgreSQL utilities such as pg_dump and pg_restore; insufficient control of the executed server code permits arbitrary operating-system commands to be run. The issue is tracked under CWE-78 and carries a CVSS 3.1 score of 6.0.

An authenticated attacker with network access can supply a malicious path through the affected API endpoint. Successful exploitation grants the ability to execute arbitrary commands on the pgAdmin server host, resulting in high impact to integrity and availability and limited impact to confidentiality under the given attack-complexity and privilege constraints.

Public advisories published by Red Hat and Fedora reference the upstream pgAdmin issue tracker and confirm that the vulnerability is resolved by upgrading to version 7.6 or later. The current EPSS score of 0.2376, which reached a peak of 0.2721, indicates moderate and relatively stable exploitation interest since disclosure.

EU & UK References

Vulnerability details

A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control…

more

the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pgadmin
pgadmin 4
≤ 7.7
fedoraproject
fedora
37, 38

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References