pgAdmin 4 Authorization Vulnerability in Server Mode Allowing Access to Private User Data

An authorization vulnerability exists in pgAdmin 4 in server mode, prior to 9.15, affecting various modules including Server Groups, Servers, Shared Servers, Background Processes, and Debugger. The vulnerability arises because multiple endpoints retrieve user-owned objects without proper filtering by the requesting user's identity. This flaw enables an authenticated user to access another user's private servers, server groups, background processes, and debugger function arguments by merely guessing object IDs. Furthermore, the Shared Servers feature has several issues, such as credential leakage (including passexec_cmd, passfile, and SSL keys), privilege escalation through writable passexec_cmd (which allows arbitrary command execution in the owner's process context), and owner-data corruption via SQLAlchemy session mutations. Several fields meant for owners only were accessible for writing by non-owners through the API, and other fields lacked per-user persistence, causing non-owner edits to alter the owner's record.

Impact

Exploitation of this vulnerability could lead to unauthorized access to another user's private servers and related data, privilege escalation allowing arbitrary command execution in the owner's process context, and corruption of owner-specific data.

Remediation

The vulnerability has been addressed in two pull requests, which can be found in the pgAdmin 4 GitHub repository.