PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.
References
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2014-03-31 14:58
Updated : 2024-02-28 12:20
NVD link : CVE-2014-0060
Mitre link : CVE-2014-0060
CVE.ORG link : CVE-2014-0060
JSON object : View
Products Affected
postgresql
- postgresql
CWE
CWE-264
Permissions, Privileges, and Access Controls