4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
PostgreSQL is vulnerable to unauthorized user addition and removal. The vulnerability exists because the restriction of addition and removal of user is not properly set by ADMIN OPTION, allowing any remote member to do it by the SET ROLE
command before the associated GRANT command.
archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
lists.opensuse.org/opensuse-updates/2014-03/msg00018.html
lists.opensuse.org/opensuse-updates/2014-03/msg00038.html
rhn.redhat.com/errata/RHSA-2014-0211.html
rhn.redhat.com/errata/RHSA-2014-0221.html
rhn.redhat.com/errata/RHSA-2014-0249.html
rhn.redhat.com/errata/RHSA-2014-0469.html
secunia.com/advisories/61307
support.apple.com/kb/HT6448
wiki.postgresql.org/wiki/20140220securityrelease
www.debian.org/security/2014/dsa-2864
www.debian.org/security/2014/dsa-2865
www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
www.postgresql.org/about/news/1506/
www.postgresql.org/docs/8.4/static/release-8-4-19.html
www.postgresql.org/docs/8.4/static/release-8-4-20.html
www.ubuntu.com/usn/USN-2120-1
access.redhat.com/security/updates/classification/#important
puppet.com/security/cve/cve-2014-0060
rhn.redhat.com/errata/RHSA-2014-0211.html
support.apple.com/kb/HT6536