Security update for pgadmin4 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:01326-1 Final 1 1 2025-08-14T13:03:13Z current 2025-08-14T13:03:13Z 2025-08-14T13:03:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pgadmin4 This update for pgadmin4 fixes the following issues: - CVE-2025-27152: Fixed SSRF and creadential leakage due to requests sent to absolute URL even when baseURL is set (bsc#1239308) - CVE-2023-1907: Fixed an issue which could result in users being authenticated in another user's session if two users authenticate simultaneously via ldap (bsc#1234840) - CVE-2024-4068: Fixed a possible memory exhaustion (bsc#1224295) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-1326,SUSE-SLE-Module-Python3-15-SP6-2025-1326 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202501326-1/ Link for SUSE-SU-2025:01326-1 https://lists.suse.com/pipermail/sle-updates/2025-August/041215.html E-Mail link for SUSE-SU-2025:01326-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1224295 SUSE Bug 1224295 https://bugzilla.suse.com/1234840 SUSE Bug 1234840 https://bugzilla.suse.com/1239308 SUSE Bug 1239308 https://www.suse.com/security/cve/CVE-2023-1907/ SUSE CVE CVE-2023-1907 page https://www.suse.com/security/cve/CVE-2024-4068/ SUSE CVE CVE-2024-4068 page https://www.suse.com/security/cve/CVE-2025-27152/ SUSE CVE CVE-2025-27152 page SUSE Linux Enterprise Module for Python 3 15 SP6 pgadmin4-4.30-150300.3.18.1 pgadmin4-doc-4.30-150300.3.18.1 pgadmin4-web-4.30-150300.3.18.1 pgadmin4-web-uwsgi-4.30-150300.3.18.1 pgadmin4-4.30-150300.3.18.1 as a component of SUSE Linux Enterprise Module for Python 3 15 SP6 pgadmin4-doc-4.30-150300.3.18.1 as a component of SUSE Linux Enterprise Module for Python 3 15 SP6 pgadmin4-web-4.30-150300.3.18.1 as a component of SUSE Linux Enterprise Module for Python 3 15 SP6 A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously. CVE-2023-1907 SUSE Linux Enterprise Module for Python 3 15 SP6:pgadmin4-4.30-150300.3.18.1 SUSE Linux Enterprise Module for Python 3 15 SP6:pgadmin4-doc-4.30-150300.3.18.1 SUSE Linux Enterprise Module for Python 3 15 SP6:pgadmin4-web-4.30-150300.3.18.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202501326-1/ https://www.suse.com/security/cve/CVE-2023-1907.html CVE-2023-1907 https://bugzilla.suse.com/1234840 SUSE Bug 1234840 The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. CVE-2024-4068 SUSE Linux Enterprise Module for Python 3 15 SP6:pgadmin4-4.30-150300.3.18.1 SUSE Linux Enterprise Module for Python 3 15 SP6:pgadmin4-doc-4.30-150300.3.18.1 SUSE Linux Enterprise Module for Python 3 15 SP6:pgadmin4-web-4.30-150300.3.18.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202501326-1/ https://www.suse.com/security/cve/CVE-2024-4068.html CVE-2024-4068 https://bugzilla.suse.com/1224256 SUSE Bug 1224256 axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2. CVE-2025-27152 SUSE Linux Enterprise Module for Python 3 15 SP6:pgadmin4-4.30-150300.3.18.1 SUSE Linux Enterprise Module for Python 3 15 SP6:pgadmin4-doc-4.30-150300.3.18.1 SUSE Linux Enterprise Module for Python 3 15 SP6:pgadmin4-web-4.30-150300.3.18.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202501326-1/ https://www.suse.com/security/cve/CVE-2025-27152.html CVE-2025-27152 https://bugzilla.suse.com/1239305 SUSE Bug 1239305