pgadmin4-8.5-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13843 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z pgadmin4-8.5-1.1 on GA media These are all security issues fixed in the pgadmin4-8.5-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13843 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13843 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-2044/ SUSE CVE CVE-2024-2044 page https://www.suse.com/security/cve/CVE-2024-3116/ SUSE CVE CVE-2024-3116 page openSUSE Tumbleweed pgadmin4-8.5-1.1 pgadmin4-cloud-8.5-1.1 pgadmin4-desktop-8.5-1.1 pgadmin4-doc-8.5-1.1 pgadmin4-web-uwsgi-8.5-1.1 system-user-pgadmin-8.5-1.1 pgadmin4-8.5-1.1 as a component of openSUSE Tumbleweed pgadmin4-cloud-8.5-1.1 as a component of openSUSE Tumbleweed pgadmin4-desktop-8.5-1.1 as a component of openSUSE Tumbleweed pgadmin4-doc-8.5-1.1 as a component of openSUSE Tumbleweed pgadmin4-web-uwsgi-8.5-1.1 as a component of openSUSE Tumbleweed system-user-pgadmin-8.5-1.1 as a component of openSUSE Tumbleweed pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users' sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution. CVE-2024-2044 openSUSE Tumbleweed:pgadmin4-8.5-1.1 openSUSE Tumbleweed:pgadmin4-cloud-8.5-1.1 openSUSE Tumbleweed:pgadmin4-desktop-8.5-1.1 openSUSE Tumbleweed:pgadmin4-doc-8.5-1.1 openSUSE Tumbleweed:pgadmin4-web-uwsgi-8.5-1.1 openSUSE Tumbleweed:system-user-pgadmin-8.5-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-2044.html CVE-2024-2044 https://bugzilla.suse.com/1221172 SUSE Bug 1221172 pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and the security of the underlying data. CVE-2024-3116 openSUSE Tumbleweed:pgadmin4-8.5-1.1 openSUSE Tumbleweed:pgadmin4-cloud-8.5-1.1 openSUSE Tumbleweed:pgadmin4-desktop-8.5-1.1 openSUSE Tumbleweed:pgadmin4-doc-8.5-1.1 openSUSE Tumbleweed:pgadmin4-web-uwsgi-8.5-1.1 openSUSE Tumbleweed:system-user-pgadmin-8.5-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-3116.html CVE-2024-3116 https://bugzilla.suse.com/1222390 SUSE Bug 1222390