#VU41879 Permissions, Privileges, and Access Controls in PostgreSQL Global Development Group products - CVE-2014-0067

Cybersecurity Help s.r.o.

Published: 2014-03-31 | Updated: 2020-08-10

Vulnerability identifier: #VU41879

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-0067

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
macOS
Operating systems & Components / Operating system
macOS Server
Operating systems & Components / Operating system
PostgreSQL
Server applications / Database software

Vendor: Apple Inc.
PostgreSQL Global Development Group

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster.

Mitigation
Install update from vendor's website.

Vulnerable software versions

macOS: 10.10.4

macOS Server: 5.0.3 - 10.10.4

PostgreSQL: 5.0.3, 8.4.1 - 8.4.18, 9.0 - 9.0.15, 9.1 - 9.1.11, 9.2 - 9.2.6, 9.3 - 9.3.2, 10.10.4

External links
https://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
https://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html
https://lists.opensuse.org/opensuse-updates/2014-03/msg00018.html
https://lists.opensuse.org/opensuse-updates/2014-03/msg00038.html
https://wiki.postgresql.org/wiki/20140220securityrelease
https://www.debian.org/security/2014/dsa-2864
https://www.debian.org/security/2014/dsa-2865
https://www.postgresql.org/about/news/1506/
https://www.securityfocus.com/bid/65721
https://support.apple.com/HT205219
https://support.apple.com/kb/HT205031

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Amazon Linux AMI update for postgresql92