Rule Document 1:66428

Report a false positive

Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP pgAdmin validate_binary_path API remote code execution attempt

Rule Explanation

This rule looks for HTTP requests to the validate_binary_path endpoint that include a utility_path parameter containing a path using the storage directory. Files uploaded to the server are stored there, meaning it is potentially a malicious executable. Successful exploitation allows an attacker to execute arbitrary code on the pgAdmin server.

What To Look For

This rule fires on attempts to exploit a remote code execution vulnerability in pgAdmin web applications.

Known Usage

Public information/Proof of Concept available

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

Rule Categories::Server::Web Applications

MITRE::ATT&CK Framework::Enterprise::Initial Access::Exploit Public-Facing Application

Vulnerability::Severity::Medium

Vulnerability::Severity::Critical

Vulnerability::Severity::High

CVE

CVE-2024-3116

Additional Links

github.com/advisories/GHSA-27jx-ffw8-xrqv

Rule Vulnerability

Local File Inclusion

Local File Inclusion (LFI) attackers attempt to trick the web server into executing a file local to its own file system. The attacker might have saved the file there in another way first, or the target file could be a local executable that should not be accessible to the web server otherwise. A successful LFI can lead to data leaks or remote code execution. Avoid dynamic inclusion of user input files, or whitelist files that may be included.

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.
CVE-2024-3116
 Loading description