PT-2014-3457 · Postgresql+3 · Postgresql+3

Publicado

2014-02-21

Atualizado

2024-06-15

CVE-2014-0060

CVSS v2.0

4.0

Média

Vetor

AV:N/AC:L/Au:S/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions PostgreSQL versions prior to 8.4.20 PostgreSQL versions 9.0.x prior to 9.0.16 PostgreSQL versions 9.1.x prior to 9.1.12 PostgreSQL versions 9.2.x prior to 9.2.7 PostgreSQL versions 9.3.x prior to 9.3.3

Description The issue allows remote authenticated members of a role to add or remove arbitrary users to that role by exploiting the improper enforcement of the ADMIN OPTION restriction. This can be achieved by calling the SET ROLE command before the associated GRANT command.

Recommendations For versions prior to 8.4.20, update to version 8.4.20 or later. For versions 9.0.x prior to 9.0.16, update to version 9.0.16 or later. For versions 9.1.x prior to 9.1.12, update to version 9.1.12 or later. For versions 9.2.x prior to 9.2.7, update to version 9.2.7 or later. For versions 9.3.x prior to 9.3.3, update to version 9.3.3 or later.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-264

Identificadores relacionados

CESA-2014_0211

CESA-2014_0221

CVE-2014-0060

DSA-2864-1

DSA-2865-1

MGASA-2014-0205

MGASA-2014-0222

OPENSUSE-SU-2024:10030-1

OPENSUSE-SU-2024:10256-1

OPENSUSE-SU-2024:10273-1

RHSA-2014:0211

RHSA-2014:0221

RHSA-2014:0249

RHSA-2014:0469

RHSA-2014_0211

RHSA-2014_0249

SUSE-SU-2014_0461-1

USN-2120-1

Produtos afetados

Centos

Postgresql

Red Hat

Suse

PT-2014-3457 · Postgresql+3 · Postgresql+3

CVE-2014-0060

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 131