CVE-2023-1907
Published: 09 January 2025
Summary
CVE-2023-1907 is a high-severity Exposure of Data Element to Wrong Session (CWE-488) vulnerability in Pgadmin Pgadmin. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 33.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-10 (Concurrent Session Control) and SC-23 (Session Authenticity).
Deeper analysis
CVE-2023-1907 is a vulnerability in pgAdmin, specifically affecting instances running in server mode with LDAP authentication. It occurs when multiple connection attempts happen simultaneously, causing a logging user to be attached to another user's session. The issue is associated with CWE-488 (inconsistent interpretations of HTTP requests) and CWE-276 (incorrect default permissions), and carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).
A low-privileged authenticated user (PR:L) can exploit this over the network (AV:N), though it requires high attack complexity (AC:H) and user interaction (UI:R). Successful exploitation allows the attacker to hijack another user's session, resulting in high impacts to confidentiality, integrity, and availability, with a changed scope (S:C) that may affect additional resources.
Mitigation details are available in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2023-1907 and the related Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2218384.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0015
Vulnerability details
A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables direct hijacking of another authenticated user's web session in pgAdmin via race condition in LDAP auth handling.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Limits concurrent sessions per user, directly preventing the scenario of multiple simultaneous login attempts that cause session attachment errors in pgAdmin server mode.
Protects the authenticity of communications sessions, mitigating session hijacking where a user is attached to another user's session due to concurrent LDAP logins.
Enforces proper session termination, reducing the risk of new logins attaching to improperly terminated existing sessions during concurrent access.