Cyber Posture

CVE-2023-1907

High

Published: 09 January 2025

Published
09 January 2025
Modified
20 June 2025
KEV Added
Patch
CVSS Score 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0010 27.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-1907 is a high-severity Exposure of Data Element to Wrong Session (CWE-488) vulnerability in Pgadmin Pgadmin. Its CVSS base score is 8.0 (High).

Operationally, ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-10 (Concurrent Session Control) and SC-23 (Session Authenticity).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-10 Concurrent Session Control good match
prevent

Limits concurrent sessions per user, directly preventing the scenario of multiple simultaneous login attempts that cause session attachment errors in pgAdmin server mode.

SC-23 Session Authenticity good match
prevent

Protects the authenticity of communications sessions, mitigating session hijacking where a user is attached to another user's session due to concurrent LDAP logins.

AC-12 Session Termination partial match
prevent

Enforces proper session termination, reducing the risk of new logins attaching to improperly terminated existing sessions during concurrent access.

NVD Description

A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.

Deeper analysisAI

CVE-2023-1907 is a vulnerability in pgAdmin, specifically affecting instances running in server mode with LDAP authentication. It occurs when multiple connection attempts happen simultaneously, causing a logging user to be attached to another user's session. The issue is associated with CWE-488 (inconsistent interpretations of HTTP requests) and CWE-276 (incorrect default permissions), and carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).

A low-privileged authenticated user (PR:L) can exploit this over the network (AV:N), though it requires high attack complexity (AC:H) and user interaction (UI:R). Successful exploitation allows the attacker to hijack another user's session, resulting in high impacts to confidentiality, integrity, and availability, with a changed scope (S:C) that may affect additional resources.

Mitigation details are available in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2023-1907 and the related Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2218384.

Details

CWE(s)
CWE-488CWE-276

Affected Products

pgadmin
pgadmin
≤ 7.0

CVEs Like This One

CVE-2025-13780Same vendor: Pgadmin
CVE-2026-1707Same vendor: Pgadmin
CVE-2025-0218Same vendor: Pgadmin
CVE-2025-12762Same vendor: Pgadmin
CVE-2025-24107Shared CWE-276
CVE-2024-53841Shared CWE-276
CVE-2024-11624Shared CWE-276
CVE-2024-43166Shared CWE-276
CVE-2021-47852Shared CWE-276
CVE-2026-32983Shared CWE-276

References