pgadmin4-8.2-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13667-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z pgadmin4-8.2-1.1 on GA media These are all security issues fixed in the pgadmin4-8.2-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13667 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-0959/ SUSE CVE CVE-2022-0959 page https://www.suse.com/security/cve/CVE-2023-0241/ SUSE CVE CVE-2023-0241 page https://www.suse.com/security/cve/CVE-2023-22298/ SUSE CVE CVE-2023-22298 page openSUSE Tumbleweed pgadmin4-8.2-1.1 pgadmin4-cloud-8.2-1.1 pgadmin4-desktop-8.2-1.1 pgadmin4-doc-8.2-1.1 pgadmin4-web-uwsgi-8.2-1.1 system-user-pgadmin-8.2-1.1 pgadmin4-8.2-1.1 as a component of openSUSE Tumbleweed pgadmin4-cloud-8.2-1.1 as a component of openSUSE Tumbleweed pgadmin4-desktop-8.2-1.1 as a component of openSUSE Tumbleweed pgadmin4-doc-8.2-1.1 as a component of openSUSE Tumbleweed pgadmin4-web-uwsgi-8.2-1.1 as a component of openSUSE Tumbleweed system-user-pgadmin-8.2-1.1 as a component of openSUSE Tumbleweed A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write. CVE-2022-0959 openSUSE Tumbleweed:pgadmin4-8.2-1.1 openSUSE Tumbleweed:pgadmin4-cloud-8.2-1.1 openSUSE Tumbleweed:pgadmin4-desktop-8.2-1.1 openSUSE Tumbleweed:pgadmin4-doc-8.2-1.1 openSUSE Tumbleweed:pgadmin4-web-uwsgi-8.2-1.1 openSUSE Tumbleweed:system-user-pgadmin-8.2-1.1 important 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-0959.html CVE-2022-0959 https://bugzilla.suse.com/1197143 SUSE Bug 1197143 pgAdmin 4 versions prior to v6.19 contains a directory traversal vulnerability. A user of the product may change another user's settings or alter the database. CVE-2023-0241 openSUSE Tumbleweed:pgadmin4-8.2-1.1 openSUSE Tumbleweed:pgadmin4-cloud-8.2-1.1 openSUSE Tumbleweed:pgadmin4-desktop-8.2-1.1 openSUSE Tumbleweed:pgadmin4-doc-8.2-1.1 openSUSE Tumbleweed:pgadmin4-web-uwsgi-8.2-1.1 openSUSE Tumbleweed:system-user-pgadmin-8.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-0241.html CVE-2023-0241 https://bugzilla.suse.com/1207464 SUSE Bug 1207464 Open redirect vulnerability in pgAdmin 4 versions prior to v6.14 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL. CVE-2023-22298 openSUSE Tumbleweed:pgadmin4-8.2-1.1 openSUSE Tumbleweed:pgadmin4-cloud-8.2-1.1 openSUSE Tumbleweed:pgadmin4-desktop-8.2-1.1 openSUSE Tumbleweed:pgadmin4-doc-8.2-1.1 openSUSE Tumbleweed:pgadmin4-web-uwsgi-8.2-1.1 openSUSE Tumbleweed:system-user-pgadmin-8.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-22298.html CVE-2023-22298 https://bugzilla.suse.com/1207238 SUSE Bug 1207238