CVE-2014-0060 Information
Share on:Description
PostgreSQL before 8.4.20 9.0.x before 9.0.16 9.1.x before 9.1.12 9.2.x before 9.2.7 and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.
Reference
http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 http://lists.opensuse.org/opensuse-updates/2014-03/msg00018.html http://lists.opensuse.org/opensuse-updates/2014-03/msg00038.html http://rhn.redhat.com/errata/RHSA-2014-0211.html http://rhn.redhat.com/errata/RHSA-2014-0221.html http://rhn.redhat.com/errata/RHSA-2014-0249.html http://rhn.redhat.com/errata/RHSA-2014-0469.html http://secunia.com/advisories/61307 http://support.apple.com/kb/HT6448 http://wiki.postgresql.org/wiki/20140220securityrelease http://www.debian.org/security/2014/dsa-2864 http://www.debian.org/security/2014/dsa-2865 http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.postgresql.org/about/news/1506/ http://www.ubuntu.com/usn/USN-2120-1 https://puppet.com/security/cve/cve-2014-0060 https://support.apple.com/kb/HT6536