CVE-2022-4223
- Source
- https://cve.org/CVERecord?id=CVE-2022-4223
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-4223.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-4223
- Aliases
- Published
- 2022-12-13T16:15:26.277Z
- Modified
- 2025-11-14T13:48:02.401991Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities such as pgdump and pgrestore. The utility is executed by the server to determine what PostgreSQL version it is from. Versions of pgAdmin prior to 6.17 failed to properly secure this API, which could allow an unauthenticated user to call it with a path of their choosing, such as a UNC path to a server they control on a Windows machine. This would cause an appropriately named executable in the target path to be executed by the pgAdmin server.
- References
Affected packages
Git / github.com/pgadmin-org/pgadmin4
Affected ranges
- Type
- GIT
- Repo
- https://github.com/pgadmin-org/pgadmin4
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
REL-1_0
REL-1_0-BETA1
REL-1_0-BETA2
REL-1_0-BETA3
REL-1_0-BETA4
REL-1_0-RC1
REL-1_1
REL-1_2
REL-1_3
REL-1_4
REL-1_5
REL-1_6
REL-2_0
REL-2_0-RC1
REL-2_0-RC2
REL-2_1
REL-3_0
REL-3_1
REL-3_2
REL-3_3
REL-3_4
REL-3_5
REL-3_6
REL-4_0
REL-4_1
REL-4_10
REL-4_11
REL-4_12
REL-4_13
REL-4_14
REL-4_15
REL-4_16
REL-4_17
REL-4_18
REL-4_19
REL-4_2
REL-4_20
REL-4_21
REL-4_22
REL-4_23
REL-4_24
REL-4_25
REL-4_26
REL-4_27
REL-4_28
REL-4_29
REL-4_3
REL-4_30
REL-4_4
REL-4_5
REL-4_6
REL-4_7
REL-4_8
REL-4_9
REL-5_0
REL-5_1
REL-5_2
REL-5_3
REL-5_4
REL-5_5
REL-5_6
REL-5_7
REL-6_0
REL-6_1
REL-6_10
REL-6_11
REL-6_12
REL-6_13
REL-6_14
REL-6_15
REL-6_16
REL-6_2
REL-6_3
REL-6_4
REL-6_5
REL-6_6
REL-6_7
REL-6_8
REL-6_9