CVE-2014-0060 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2014-0060

CVE-2014-0060

Published:March 28, 2014

Updated:May 17, 2026

PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.

Related Resources (20)

http://www.debian.org/security/2014/dsa-2864

http://rhn.redhat.com/errata/RHSA-2014-0249.html

https://puppet.com/security/cve/cve-2014-0060

http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html

http://secunia.com/advisories/61307

http://wiki.postgresql.org/wiki/20140220securityrelease

http://rhn.redhat.com/errata/RHSA-2014-0469.html

https://support.apple.com/kb/HT6536

http://rhn.redhat.com/errata/RHSA-2014-0221.html

http://rhn.redhat.com/errata/RHSA-2014-0211.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

https://people.canonical.com/~ubuntu-security/cve/CVE-2014-0060

http://www.postgresql.org/about/news/1506/

http://lists.opensuse.org/opensuse-updates/2014-03/msg00018.html

https://access.redhat.com/security/cve/CVE-2014-0060

http://support.apple.com/kb/HT6448

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

http://www.ubuntu.com/usn/USN-2120-1

http://www.debian.org/security/2014/dsa-2865

http://lists.opensuse.org/opensuse-updates/2014-03/msg00038.html

Do you need more information?

CVSS v3

Base Score:

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

CVSS v2

Base Score:

4

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

EPSS

Base Score:

0.55