Cyber Resilience

CVE-2024-3116

HighPublic PoC

Published: 04 April 2024

Published
04 April 2024
Modified
17 March 2025
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
EPSS Score 0.9068 99.6th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3116 is a high-severity Command Injection (CWE-77) vulnerability in Pgadmin Pgadmin 4. Its CVSS base score is 7.4 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

pgAdmin versions 8.4 and earlier contain a remote code execution vulnerability in the validate binary path API. The flaw, tracked as CVE-2024-3116, carries a CVSS 3.1 score of 7.4 and is associated with CWE-77 command injection, allowing an authenticated user to supply crafted input that results in arbitrary code execution on the host running pgAdmin.

An attacker with low-privileged network access and no user interaction can invoke the affected API endpoint to run commands on the server. Successful exploitation yields limited impact on confidentiality, integrity, and availability while changing scope to other components on the same host, thereby threatening both the pgAdmin instance and any connected PostgreSQL data.

The EPSS score for this CVE stands at 0.9068 with no material increase after disclosure. Public references include a GitHub issue and proof-of-concept material, but no details on official patches or mitigation steps are provided in the available information.

EU & UK References

Vulnerability details

pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's…

more

integrity and the security of the underlying data.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pgadmin
pgadmin 4
≤ 8.4
fedoraproject
fedora
39

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References