Detections
Analytics

CVE-2014-0060

critical

Description

PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.

References

https://support.apple.com/kb/HT6536

https://puppet.com/security/cve/cve-2014-0060

http://www.ubuntu.com/usn/USN-2120-1

http://www.postgresql.org/about/news/1506/

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.debian.org/security/2014/dsa-2865

http://www.debian.org/security/2014/dsa-2864

http://wiki.postgresql.org/wiki/20140220securityrelease

http://support.apple.com/kb/HT6448

http://secunia.com/advisories/61307

http://rhn.redhat.com/errata/RHSA-2014-0469.html

http://rhn.redhat.com/errata/RHSA-2014-0249.html

http://rhn.redhat.com/errata/RHSA-2014-0221.html

http://rhn.redhat.com/errata/RHSA-2014-0211.html

http://lists.opensuse.org/opensuse-updates/2014-03/msg00038.html

http://lists.opensuse.org/opensuse-updates/2014-03/msg00018.html

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html

Details

Source: Mitre, NVD

Published: 2014-03-31

Updated: 2017-12-16

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Severity: Critical