CVE-2024-3116
Published: 04 April 2024
Summary
CVE-2024-3116 is a high-severity Command Injection (CWE-77) vulnerability in Pgadmin Pgadmin 4. Its CVSS base score is 7.4 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
pgAdmin versions 8.4 and earlier contain a remote code execution vulnerability in the validate binary path API. The flaw, tracked as CVE-2024-3116, carries a CVSS 3.1 score of 7.4 and is associated with CWE-77 command injection, allowing an authenticated user to supply crafted input that results in arbitrary code execution on the host running pgAdmin.
An attacker with low-privileged network access and no user interaction can invoke the affected API endpoint to run commands on the server. Successful exploitation yields limited impact on confidentiality, integrity, and availability while changing scope to other components on the same host, thereby threatening both the pgAdmin instance and any connected PostgreSQL data.
The EPSS score for this CVE stands at 0.9068 with no material increase after disclosure. Public references include a GitHub issue and proof-of-concept material, but no details on official patches or mitigation steps are provided in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1054
Vulnerability details
pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's…
more
integrity and the security of the underlying data.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.