SUSE update for pgadmin4
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2024-38355 CVE-2024-38998 CVE-2024-38999 CVE-2024-39338 CVE-2024-4067 CVE-2024-4068 CVE-2024-43788 CVE-2024-48948 CVE-2024-48949 CVE-2024-9014 |
| CWE-ID | CWE-754 CWE-1321 CWE-918 CWE-185 CWE-789 CWE-79 CWE-347 CWE-20 CWE-287 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #7 is available. Public exploit code for vulnerability #10 is available. |
| Vulnerable software |
Python 3 Module Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Desktop 15 Operating systems & Components / Operating system pgadmin4-web-uwsgi Operating systems & Components / Operating system package or component pgadmin4 Operating systems & Components / Operating system package or component pgadmin4-cloud Operating systems & Components / Operating system package or component pgadmin4-doc Operating systems & Components / Operating system package or component system-user-pgadmin Operating systems & Components / Operating system package or component pgadmin4-desktop Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Improper Check for Unusual or Exceptional Conditions
EUVDB-ID: #VU94660
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-38355
CWE-ID:
CWE-754 - Improper Check for Unusual or Exceptional Conditions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling. A remote attacker can send specially crafted Socket.IO packet to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected package pgadmin4 to the latest version.
Vulnerable software versionsPython 3 Module: 15-SP6
openSUSE Leap: 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP6
SUSE Linux Enterprise Server 15: SP6
SUSE Linux Enterprise Desktop 15: SP6
pgadmin4-web-uwsgi: before 8.5-150600.3.6.1
pgadmin4: before 8.5-150600.3.6.1
pgadmin4-cloud: before 8.5-150600.3.6.1
pgadmin4-doc: before 8.5-150600.3.6.1
system-user-pgadmin: before 8.5-150600.3.6.1
pgadmin4-desktop: before 8.5-150600.3.6.1
CPE2.3- cpe:2.3:o:suse:python_3_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:pgadmin4-web-uwsgi:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-cloud:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:system-user-pgadmin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-desktop:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243771-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Prototype pollution
EUVDB-ID: #VU97243
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-38998
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to prototype pollution via the function config. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in arbitrary code execution or denial of service (DoS).
Update the affected package pgadmin4 to the latest version.
Vulnerable software versionsPython 3 Module: 15-SP6
openSUSE Leap: 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP6
SUSE Linux Enterprise Server 15: SP6
SUSE Linux Enterprise Desktop 15: SP6
pgadmin4-web-uwsgi: before 8.5-150600.3.6.1
pgadmin4: before 8.5-150600.3.6.1
pgadmin4-cloud: before 8.5-150600.3.6.1
pgadmin4-doc: before 8.5-150600.3.6.1
system-user-pgadmin: before 8.5-150600.3.6.1
pgadmin4-desktop: before 8.5-150600.3.6.1
CPE2.3- cpe:2.3:o:suse:python_3_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:pgadmin4-web-uwsgi:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-cloud:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:system-user-pgadmin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-desktop:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243771-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Prototype pollution
EUVDB-ID: #VU97244
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-38999
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to prototype pollution via the function s.contexts._.configure. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
Update the affected package pgadmin4 to the latest version.
Vulnerable software versionsPython 3 Module: 15-SP6
openSUSE Leap: 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP6
SUSE Linux Enterprise Server 15: SP6
SUSE Linux Enterprise Desktop 15: SP6
pgadmin4-web-uwsgi: before 8.5-150600.3.6.1
pgadmin4: before 8.5-150600.3.6.1
pgadmin4-cloud: before 8.5-150600.3.6.1
pgadmin4-doc: before 8.5-150600.3.6.1
system-user-pgadmin: before 8.5-150600.3.6.1
pgadmin4-desktop: before 8.5-150600.3.6.1
CPE2.3- cpe:2.3:o:suse:python_3_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:pgadmin4-web-uwsgi:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-cloud:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:system-user-pgadmin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-desktop:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243771-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU96050
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-39338
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
MitigationUpdate the affected package pgadmin4 to the latest version.
Vulnerable software versionsPython 3 Module: 15-SP6
openSUSE Leap: 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP6
SUSE Linux Enterprise Server 15: SP6
SUSE Linux Enterprise Desktop 15: SP6
pgadmin4-web-uwsgi: before 8.5-150600.3.6.1
pgadmin4: before 8.5-150600.3.6.1
pgadmin4-cloud: before 8.5-150600.3.6.1
pgadmin4-doc: before 8.5-150600.3.6.1
system-user-pgadmin: before 8.5-150600.3.6.1
pgadmin4-desktop: before 8.5-150600.3.6.1
CPE2.3- cpe:2.3:o:suse:python_3_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:pgadmin4-web-uwsgi:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-cloud:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:system-user-pgadmin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-desktop:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243771-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Incorrect Regular Expression
EUVDB-ID: #VU92406
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-4067
CWE-ID:
CWE-185 - Incorrect Regular Expression
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Update the affected package pgadmin4 to the latest version.
Vulnerable software versionsPython 3 Module: 15-SP6
openSUSE Leap: 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP6
SUSE Linux Enterprise Server 15: SP6
SUSE Linux Enterprise Desktop 15: SP6
pgadmin4-web-uwsgi: before 8.5-150600.3.6.1
pgadmin4: before 8.5-150600.3.6.1
pgadmin4-cloud: before 8.5-150600.3.6.1
pgadmin4-doc: before 8.5-150600.3.6.1
system-user-pgadmin: before 8.5-150600.3.6.1
pgadmin4-desktop: before 8.5-150600.3.6.1
CPE2.3- cpe:2.3:o:suse:python_3_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:pgadmin4-web-uwsgi:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-cloud:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:system-user-pgadmin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-desktop:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243771-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Uncontrolled Memory Allocation
EUVDB-ID: #VU92405
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-4068
CWE-ID:
CWE-789 - Uncontrolled Memory Allocation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. A remote attacker can send "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
MitigationUpdate the affected package pgadmin4 to the latest version.
Vulnerable software versionsPython 3 Module: 15-SP6
openSUSE Leap: 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP6
SUSE Linux Enterprise Server 15: SP6
SUSE Linux Enterprise Desktop 15: SP6
pgadmin4-web-uwsgi: before 8.5-150600.3.6.1
pgadmin4: before 8.5-150600.3.6.1
pgadmin4-cloud: before 8.5-150600.3.6.1
pgadmin4-doc: before 8.5-150600.3.6.1
system-user-pgadmin: before 8.5-150600.3.6.1
pgadmin4-desktop: before 8.5-150600.3.6.1
CPE2.3- cpe:2.3:o:suse:python_3_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:pgadmin4-web-uwsgi:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-cloud:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:system-user-pgadmin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-desktop:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243771-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Cross-site scripting
EUVDB-ID: #VU96642
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2024-43788
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in AutoPublicPathRuntimeModule. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate the affected package pgadmin4 to the latest version.
Vulnerable software versionsPython 3 Module: 15-SP6
openSUSE Leap: 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP6
SUSE Linux Enterprise Server 15: SP6
SUSE Linux Enterprise Desktop 15: SP6
pgadmin4-web-uwsgi: before 8.5-150600.3.6.1
pgadmin4: before 8.5-150600.3.6.1
pgadmin4-cloud: before 8.5-150600.3.6.1
pgadmin4-doc: before 8.5-150600.3.6.1
system-user-pgadmin: before 8.5-150600.3.6.1
pgadmin4-desktop: before 8.5-150600.3.6.1
CPE2.3- cpe:2.3:o:suse:python_3_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:pgadmin4-web-uwsgi:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-cloud:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:system-user-pgadmin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-desktop:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243771-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
8) Improper verification of cryptographic signature
EUVDB-ID: #VU99563
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-48948
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect validation of valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. Such behavior leads to valid signatures being rejected.
MitigationUpdate the affected package pgadmin4 to the latest version.
Vulnerable software versionsPython 3 Module: 15-SP6
openSUSE Leap: 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP6
SUSE Linux Enterprise Server 15: SP6
SUSE Linux Enterprise Desktop 15: SP6
pgadmin4-web-uwsgi: before 8.5-150600.3.6.1
pgadmin4: before 8.5-150600.3.6.1
pgadmin4-cloud: before 8.5-150600.3.6.1
pgadmin4-doc: before 8.5-150600.3.6.1
system-user-pgadmin: before 8.5-150600.3.6.1
pgadmin4-desktop: before 8.5-150600.3.6.1
CPE2.3- cpe:2.3:o:suse:python_3_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:pgadmin4-web-uwsgi:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-cloud:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:system-user-pgadmin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-desktop:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243771-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU98513
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-48949
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input within the verify() function in lib/elliptic/eddsa/index.js. A remote attacker can send specially crafted input to the application and bypass implemented security restrictions.
Update the affected package pgadmin4 to the latest version.
Vulnerable software versionsPython 3 Module: 15-SP6
openSUSE Leap: 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP6
SUSE Linux Enterprise Server 15: SP6
SUSE Linux Enterprise Desktop 15: SP6
pgadmin4-web-uwsgi: before 8.5-150600.3.6.1
pgadmin4: before 8.5-150600.3.6.1
pgadmin4-cloud: before 8.5-150600.3.6.1
pgadmin4-doc: before 8.5-150600.3.6.1
system-user-pgadmin: before 8.5-150600.3.6.1
pgadmin4-desktop: before 8.5-150600.3.6.1
CPE2.3- cpe:2.3:o:suse:python_3_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:pgadmin4-web-uwsgi:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-cloud:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:system-user-pgadmin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-desktop:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243771-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Improper Authentication
EUVDB-ID: #VU99562
Risk: High
CVSSv4.0: 7.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2024-9014
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in OAuth2 authentication. A remote attacker can obtain the client ID and secret and bypass authentication process.
MitigationUpdate the affected package pgadmin4 to the latest version.
Vulnerable software versionsPython 3 Module: 15-SP6
openSUSE Leap: 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP6
SUSE Linux Enterprise Server 15: SP6
SUSE Linux Enterprise Desktop 15: SP6
pgadmin4-web-uwsgi: before 8.5-150600.3.6.1
pgadmin4: before 8.5-150600.3.6.1
pgadmin4-cloud: before 8.5-150600.3.6.1
pgadmin4-doc: before 8.5-150600.3.6.1
system-user-pgadmin: before 8.5-150600.3.6.1
pgadmin4-desktop: before 8.5-150600.3.6.1
CPE2.3- cpe:2.3:o:suse:python_3_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:pgadmin4-web-uwsgi:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-cloud:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:system-user-pgadmin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:pgadmin4-desktop:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243771-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
