pgAdmin 8.3 Remote Code Execution

pgAdmin versions 8.3 and below have a path traversal vulnerability within their session management logic that can allow a pickled file to be loaded from an arbitrary location. This can be used to load a malicious, serialized Python object to execute code within the context of the target application. This exploit supports two techniques by which the payload can be loaded, depending on whether or not credentials are specified. If valid credentials are provided, Metasploit will login to pgAdmin and …

application can code code execution context exploit file location logic malicious management object path path traversal path traversal vulnerability python remote code remote code execution session target techniques vulnerability