CVE-2024-2044

pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/pgadmin-org/pgadmin4/issues/7258	Issue Tracking Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/	Mailing List
https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/	Exploit Third Party Advisory
https://github.com/pgadmin-org/pgadmin4/issues/7258	Issue Tracking Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/	Mailing List
https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pgadmin:pgadmin_4:*:*:*:*:*:postgresql:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*

History

19 Sep 2025, 14:55

Type	Values Removed	Values Added
CPE		cpe:2.3:a:pgadmin:pgadmin_4::::::postgresql::* cpe:2.3:o:fedoraproject:fedora:40:::::::*
First Time		Fedoraproject Pgadmin Fedoraproject fedora Pgadmin pgadmin 4
References	~~() https://github.com/pgadmin-org/pgadmin4/issues/7258 -~~	() https://github.com/pgadmin-org/pgadmin4/issues/7258 - Issue Tracking, Vendor Advisory
References	~~() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/ - Mailing List
References	~~() https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/ -~~	() https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/ - Exploit, Third Party Advisory

13 Feb 2025, 18:17

Type	Values Removed	Values Added
Summary	(en) pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.	(en) pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.

Information

Published : 2024-03-07 21:15

Updated : 2025-09-19 14:55

NVD link : CVE-2024-2044

Mitre link : CVE-2024-2044

CVE.ORG link : CVE-2024-2044

JSON object : View

Products Affected

pgadmin

pgadmin_4

fedoraproject

fedora

CWE

CWE-31

Path Traversal: 'dir\..\..\filename'

9.9 /10