CVE-2024-2044 CRITICAL

CVE-2024-2044: Unsafe Deserialisation and Remote Code Execution by an Authenticated user in pgAdmin 4

Vendor Pgadmin.org
Product pgAdmin 4
Published March 7, 2024
Last update February 13, 2025

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.

Key dates

02Disclosure timeline

March 7, 2024 CVE published
February 13, 2025 Record updated