pgAdmin is vulnerable to a multi-factor authentication bypass (CWE-287) whereby an attacker with knowledge of an account’s credentials can manage files and make SQL queries regardless of whether or not the account has been configured with MFA. This vulnerability has a CVSS v3 score of 6.4 with a vector of AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Exploitation

An attacker with knowledge of a legitimate account’s username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries regardless of the account’s MFA enrollment status.

pgAdmin4 is a rewrite of the original application in Python and has evolved into pgAdmin4 version 8.5 (the latest version as of when this vulnerability was discovered). The application is written using the Flask web framework and uses common Flask patterns such as blueprints, which is a web application component that may include one or more resource handlers called “views”.

Upon normal authentication, an MFA-enabled user is granted a session without the mfa_authenticated key. pgAdmin then offers an mfa_required decorator that must be applied to individual Flask views in order to be protected. Once the username and password are validated, the session object itself is valid, meaning each view must opt into MFA authentication as opposed to being required to create a valid and authenticated session. The main view of the browser blueprint opts into MFA authentication. The /browser/ resource is the default location a newly authenticated user is redirected to. When this view is rendered by Flask, the MFA authentication status is checked and the user is prompted to enter their OTP.

If, however, the user has automated the necessary HTTP requests, there is nothing stopping them from using their authenticated session and accessing other parts of the application including the file manager and SQL editor blueprints. These two resources, along with others, only require an authenticated session, effectively ignoring the account’s MFA requirement.

Impact

An attacker is able to leverage an MFA-enabled account with only knowledge of its username and password to execute SQL queries and manage files. It should be noted that the file manager does not have full access to the root file system by default but is commonly used to store SQL related data files.

This vulnerability was fixed in pgAdmin 8.6 by commit f4761f5.

pgAdmin versions <=8.3 are vulnerable to a path traversal vulnerability in the session handling logic. This can be leveraged by an attacker to load a malicious serialized object and execute Python code within the context of the application. On Linux servers, this requires the ability to write files to the target. pgAdmin has a file management component that is available by default for users. With a known username and password, a user can authenticate to pgAdmin, upload a malicious object, and trigger code execution through the path traversal vulnerability. It should be noted that CVE-2024-4215 affects a superset of pgAdmin versions and, therefore, an attacker would be able to leverage an account regardless of it’s MFA enrollment status.

When targeting Windows servers, the vulnerability can lead to code execution by using a UNC path in place of the path traversal. Insecure outbound guest access was disabled by default in Windows 10 v1709 (Redstone 3). To leverage this technique, the target would either need to be an older system, or have guest access explicitly enabled. Alternatively, Windows servers can also be exploited by using the same file management functionality provided by pgAdmin.

This vulnerability was fixed in commit 4e49d75.