pgAdmin 4 Remote Code Execution Vulnerability in Query Tool and Cloud Deployment Modules

A remote code execution vulnerability exists in pgAdmin 4 versions prior to 9.2, specifically within the Query Tool and Cloud Deployment modules. This vulnerability arises from two POST endpoints: '/sqleditor/query_tool/download' and '/cloud/deploy'. In the first endpoint, the 'query_commited' parameter, and in the second, the 'high_availability' parameter, are improperly handled and passed to the Python eval() function. This flaw allows for arbitrary code execution on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where pgAdmin 4 is running.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/sqleditor/query_tool/download' endpoint with a crafted 'query_commited' parameter that includes malicious code. Alternatively, the '/cloud/deploy' endpoint can be used with a similar 'high_availability' parameter to achieve the same result.

Remediation

Users can upgrade to pgAdmin 4 version 9.2 or later to address this vulnerability.