Your submission was sent successfully! Close

CVE-2014-0060

Published: 21 February 2014

PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.

Priority

Medium

Status

Package Release Status
postgresql-8.4
Launchpad, Ubuntu, Debian
lucid
Released (8.4.20-0ubuntu010.04)
precise
Released (8.4.22-0ubuntu0.12.04)
quantal Does not exist

saucy Does not exist

trusty Does not exist

upstream
Released (8.4.20)
utopic Does not exist

postgresql-9.1
Launchpad, Ubuntu, Debian
lucid Does not exist

precise
Released (9.1.12-0ubuntu0.12.04)
quantal
Released (9.1.12-0ubuntu0.12.10)
saucy
Released (9.1.12-0ubuntu0.13.10)
trusty Does not exist
(trusty was released [9.1.12-1])
upstream
Released (9.1.12)
utopic Does not exist

postgresql-9.3
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist

quantal Does not exist

saucy Does not exist

trusty
Released (9.3.3-1)
upstream
Released (9.3.3)
utopic Does not exist