Description

PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.

Remediation

References

CVE-2014-0060

Related Vulnerabilities

WordPress Plugin AppPresser-Mobile App Framework Cross-Site Scripting (1.1.4)

Internet Information Services Other Vulnerability (CVE-2002-0074)

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2014-3544)

Joomla! Core 4.x.x Multiple Vulnerabilities (4.0.0 - 4.2.6)

Jenkins Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') Vulnerability (CVE-2016-9299)

Severity

Medium

Classification

CVE-2014-0060 CWE-264

Tags

Missing Update Known Vulnerabilities