CVE-2014-0060 (PostgreSQL security bypass vulnerability)

  • Posted March 4, 2014

  • Assessed Risk Level: Medium

PostgreSQL did not properly enforce the WITH ADMIN OPTION permission for role management, which allowed any member of a role the ability to grant others access to the same role regardless if the member was given the WITH ADMIN OPTION permission. For more details please see: http://wiki.postgresql.org/wiki/20140220securityrelease#SET_ROLE_bypasses_lack_of_ADMIN_OPTION


  • Affected Versions: Puppet Enterprise 3.x
  • Resolved in Puppet Enterprise 3.2.0