CVE-2023-1907

High

Published: 09 January 2025

Published

09 January 2025

Modified

20 June 2025

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0010 27.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.

Security Summary

CVE-2023-1907 is a vulnerability in pgAdmin, specifically affecting instances running in server mode with LDAP authentication. It occurs when multiple connection attempts happen simultaneously, causing a logging user to be attached to another user's session. The issue is associated with CWE-488 (inconsistent interpretations of HTTP requests) and CWE-276 (incorrect default permissions), and carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).

A low-privileged authenticated user (PR:L) can exploit this over the network (AV:N), though it requires high attack complexity (AC:H) and user interaction (UI:R). Successful exploitation allows the attacker to hijack another user's session, resulting in high impacts to confidentiality, integrity, and availability, with a changed scope (S:C) that may affect additional resources.

Mitigation details are available in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2023-1907 and the related Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2218384.

Details

CWE(s): CWE-488CWE-276

Affected Products

pgadmin

≤ 7.0

References

https://access.redhat.com/security/cve/CVE-2023-1907
Third Party Advisory · secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2218384
Issue Tracking, Third Party Advisory · secalert@redhat.com