Security update for pgadmin4

Announcement ID:	SUSE-SU-2024:3771-1
Release Date:	2024-10-29T12:55:39Z
Rating:	important
References:	bsc#1224295 bsc#1224366 bsc#1226967 bsc#1227248 bsc#1227252 bsc#1229423 bsc#1229861 bsc#1230928 bsc#1231564 bsc#1231684
Cross-References:	CVE-2024-38355 CVE-2024-38998 CVE-2024-38999 CVE-2024-39338 CVE-2024-4067 CVE-2024-4068 CVE-2024-43788 CVE-2024-48948 CVE-2024-48949 CVE-2024-9014
CVSS scores:	CVE-2024-38355 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-38998 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2024-38998 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-38998 ( NVD ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-38999 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2024-39338 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2024-39338 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2024-39338 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2024-4067 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-4068 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-43788 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L CVE-2024-43788 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L CVE-2024-43788 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2024-48948 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2024-48948 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L CVE-2024-48949 ( SUSE ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2024-48949 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVE-2024-48949 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2024-9014 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2024-9014 ( SUSE ): 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2024-9014 ( NVD ): 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected Products:	openSUSE Leap 15.6 Python 3 Module 15-SP6 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves 10 vulnerabilities can now be installed.

Description:

This update for pgadmin4 fixes the following issues:

• CVE-2024-38355: Fixed socket.io: unhandled 'error' event (bsc#1226967)
• CVE-2024-38998: Fixed requirejs: prototype pollution via function config (bsc#1227248)
• CVE-2024-38999: Fixed requirejs: prototype pollution via function s.contexts._.configure (bsc#1227252)
• CVE-2024-39338: Fixed axios: server-side request forgery due to requests for path relative URLs being processed as protocol relative URLs in axios (bsc#1229423)
• CVE-2024-4067: Fixed micromatch: vulnerable to Regular Expression Denial of Service (ReDoS) (bsc#1224366)
• CVE-2024-4068: Fixed braces: fails to limit the number of characters it can handle, which could lead to Memory Exhaustion (bsc#1224295)
• CVE-2024-43788: Fixed webpack: DOM clobbering gadget in AutoPublicPathRuntimeModule could lead to XSS (bsc#1229861)
• CVE-2024-48948: Fixed elliptic: ECDSA signature verification error due to leading zero may reject legitimate transactions in elliptic (bsc#1231684)
• CVE-2024-48949: Fixed elliptic: Missing Validation in Elliptic's EDDSA Signature Verification (bsc#1231564)
• CVE-2024-9014: Fixed OAuth2 issue that could lead to information leak (bsc#1230928)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.6
  zypper in -t patch SUSE-2024-3771=1 openSUSE-SLE-15.6-2024-3771=1
• Python 3 Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Python3-15-SP6-2024-3771=1

Package List:

• openSUSE Leap 15.6 (noarch)
  • pgadmin4-desktop-8.5-150600.3.6.1
  • system-user-pgadmin-8.5-150600.3.6.1
  • pgadmin4-doc-8.5-150600.3.6.1
  • pgadmin4-cloud-8.5-150600.3.6.1
  • pgadmin4-8.5-150600.3.6.1
  • pgadmin4-web-uwsgi-8.5-150600.3.6.1
• Python 3 Module 15-SP6 (noarch)
  • pgadmin4-8.5-150600.3.6.1
  • system-user-pgadmin-8.5-150600.3.6.1
  • pgadmin4-doc-8.5-150600.3.6.1

References:

• https://www.suse.com/security/cve/CVE-2024-38355.html
• https://www.suse.com/security/cve/CVE-2024-38998.html
• https://www.suse.com/security/cve/CVE-2024-38999.html
• https://www.suse.com/security/cve/CVE-2024-39338.html
• https://www.suse.com/security/cve/CVE-2024-4067.html
• https://www.suse.com/security/cve/CVE-2024-4068.html
• https://www.suse.com/security/cve/CVE-2024-43788.html
• https://www.suse.com/security/cve/CVE-2024-48948.html
• https://www.suse.com/security/cve/CVE-2024-48949.html
• https://www.suse.com/security/cve/CVE-2024-9014.html
• https://bugzilla.suse.com/show_bug.cgi?id=1224295
• https://bugzilla.suse.com/show_bug.cgi?id=1224366
• https://bugzilla.suse.com/show_bug.cgi?id=1226967
• https://bugzilla.suse.com/show_bug.cgi?id=1227248
• https://bugzilla.suse.com/show_bug.cgi?id=1227252
• https://bugzilla.suse.com/show_bug.cgi?id=1229423
• https://bugzilla.suse.com/show_bug.cgi?id=1229861
• https://bugzilla.suse.com/show_bug.cgi?id=1230928
• https://bugzilla.suse.com/show_bug.cgi?id=1231564
• https://bugzilla.suse.com/show_bug.cgi?id=1231684