Cyber Resilience

CVE-2023-1907

High

Published: 09 January 2025

Published
09 January 2025
Modified
20 June 2025
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0014 33.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-1907 is a high-severity Exposure of Data Element to Wrong Session (CWE-488) vulnerability in Pgadmin Pgadmin. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 33.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-10 (Concurrent Session Control) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2023-1907 is a vulnerability in pgAdmin, specifically affecting instances running in server mode with LDAP authentication. It occurs when multiple connection attempts happen simultaneously, causing a logging user to be attached to another user's session. The issue is associated with CWE-488 (inconsistent interpretations of HTTP requests) and CWE-276 (incorrect default permissions), and carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).

A low-privileged authenticated user (PR:L) can exploit this over the network (AV:N), though it requires high attack complexity (AC:H) and user interaction (UI:R). Successful exploitation allows the attacker to hijack another user's session, resulting in high impacts to confidentiality, integrity, and availability, with a changed scope (S:C) that may affect additional resources.

Mitigation details are available in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2023-1907 and the related Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2218384.

EU & UK References

Vulnerability details

A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Vulnerability enables direct hijacking of another authenticated user's web session in pgAdmin via race condition in LDAP auth handling.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0218Same vendor: Pgadmin
CVE-2026-7819Same vendor: Pgadmin
CVE-2026-7813Same vendor: Pgadmin
CVE-2026-1707Same vendor: Pgadmin
CVE-2025-13780Same vendor: Pgadmin
CVE-2025-12762Same vendor: Pgadmin
CVE-2026-7816Same vendor: Pgadmin
CVE-2026-7815Same vendor: Pgadmin
CVE-2025-27677Shared CWE-276
CVE-2025-21532Shared CWE-276

Affected Assets

pgadmin
pgadmin
≤ 7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Limits concurrent sessions per user, directly preventing the scenario of multiple simultaneous login attempts that cause session attachment errors in pgAdmin server mode.

prevent

Protects the authenticity of communications sessions, mitigating session hijacking where a user is attached to another user's session due to concurrent LDAP logins.

prevent

Enforces proper session termination, reducing the risk of new logins attaching to improperly terminated existing sessions during concurrent access.

References