#VU41873 Permissions, Privileges, and Access Controls in PostgreSQL - CVE-2014-0061
Published: March 31, 2014 / Updated: August 10, 2020
Vulnerability identifier: #VU41873
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2014-0061
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PostgreSQL
PostgreSQL
Software vendor:
PostgreSQL Global Development Group
PostgreSQL Global Development Group
Description
The vulnerability allows a remote #AU# to read and manipulate data.
The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions.
Remediation
Install update from vendor's website.
External links
- http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://lists.opensuse.org/opensuse-updates/2014-03/msg00018.html
- http://lists.opensuse.org/opensuse-updates/2014-03/msg00038.html
- http://rhn.redhat.com/errata/RHSA-2014-0211.html
- http://rhn.redhat.com/errata/RHSA-2014-0221.html
- http://rhn.redhat.com/errata/RHSA-2014-0249.html
- http://rhn.redhat.com/errata/RHSA-2014-0469.html
- http://secunia.com/advisories/61307
- http://support.apple.com/kb/HT6448
- http://wiki.postgresql.org/wiki/20140220securityrelease
- http://www.debian.org/security/2014/dsa-2864
- http://www.debian.org/security/2014/dsa-2865
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.postgresql.org/about/news/1506/
- http://www.ubuntu.com/usn/USN-2120-1
- https://support.apple.com/kb/HT6536