CVE-2024-2044

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

gAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.

References

Link	Resource
https://github.com/pgadmin-org/pgadmin4/issues/7258	Issue Tracking Vendor Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/	Mailing List
https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/	Exploit Third Party Advisory
https://github.com/pgadmin-org/pgadmin4/issues/7258	Issue Tracking Vendor Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/	Mailing List
https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pgadmin:pgadmin_4:*:*:*:*:*:postgresql:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*

History

19 Sep 2025, 14:55

Type	Values Removed	Values Added
First Time		Pgadmin pgadmin 4 Pgadmin Fedoraproject Fedoraproject fedora
CPE		cpe:2.3:o:fedoraproject:fedora:40:::::::* cpe:2.3:a:pgadmin:pgadmin_4::::::postgresql::*
References	~~() https://github.com/pgadmin-org/pgadmin4/issues/7258 -~~	() https://github.com/pgadmin-org/pgadmin4/issues/7258 - Issue Tracking, Vendor Advisory
References	~~() https://lists.fedoraproject.org/archives/list/[email protected]/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/ -~~	() https://lists.fedoraproject.org/archives/list/[email protected]/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/ - Mailing List
References	~~() https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/ -~~	() https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/ - Exploit, Third Party Advisory

13 Feb 2025, 18:17

Type	Values Removed	Values Added
Summary	(en) pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.	(en) pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.

21 Nov 2024, 09:08

Type	Values Removed	Values Added
References	~~() https://github.com/pgadmin-org/pgadmin4/issues/7258 -~~	() https://github.com/pgadmin-org/pgadmin4/issues/7258 -
References	~~() https://lists.fedoraproject.org/archives/list/[email protected]/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/ -~~	() https://lists.fedoraproject.org/archives/list/[email protected]/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/ -
References	~~() https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/ -~~	() https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/ -

01 Aug 2024, 13:49

Type	Values Removed	Values Added
CWE		CWE-31

Information

Published : 2024-03-07 21:15

Updated : 2025-09-19 14:55

NVD link : CVE-2024-2044

Mitre link : CVE-2024-2044

CVE.ORG link : CVE-2024-2044

JSON object : View

Products Affected

fedoraproject

fedora

pgadmin

pgadmin_4

CWE

CWE-31

Path Traversal: 'dir\..\..\filename'

9.9 /10