CVE-2014-0067

MEDIUM severity · CVSS 4.6 · CWE-264

4.6CVSS MEDIUM

Summary

The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster.

Impact & exploitability

Attack vectorLocal

Attack complexityLow

Privileges required—

User interaction—

Confidentiality impact—

Integrity impact—

Availability impact—

Exploit probability (EPSS)0%

AV:L/AC:L/Au:N/C:P/I:P/A:P

Affected products we track (1)

PostgreSQL

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
http://wiki.postgresql.org/wiki/20140220securityreleaseAdvisory
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html
http://lists.opensuse.org/opensuse-updates/2014-03/msg00018.html
http://lists.opensuse.org/opensuse-updates/2014-03/msg00038.html
http://www.debian.org/security/2014/dsa-2864
http://www.debian.org/security/2014/dsa-2865
http://www.postgresql.org/about/news/1506/