CVE-2024-9014 CRITICAL

CVE-2024-9014: OAuth2 client id and secret exposed through the web browser in pgAdmin 4

Vendor Pgadmin.org
Product pgAdmin 4
Published September 23, 2024
Last update September 23, 2024

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data.

Key dates

02Disclosure timeline

September 23, 2024 CVE published
September 23, 2024 Record updated