Guest

Preview Tool

Cisco Bug: CSCuq52599 - PCA: PostgreSQL Vulnerabilities

Last Modified

Aug 06, 2018

Products (2)

  • Cisco Prime Collaboration
  • Cisco Prime Collaboration 10.6

Known Affected Releases

10.6

Description (partial)

Symptoms:
Cisco Prime Collaboration Manager includes a version of PostgreSQL that is affected by the vulnerabilities
identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-0060: PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and
9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated
members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the
associated GRANT command. This has been classified by the vendor as having a CVSSv2 score of 4.0
(AV:N/AC:L/AU:S/C:N/I:P/A:N)

CVE-2014-0061: The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x
before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated
users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be
directly called by the user due to permissions. This has been classified by the vendor as having a CVSSv2
score of 6.5 (AV:N/AC:L/AU:S/C:P/I:P/A:P)

CVE-2014-0062: Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL
before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows
remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating
or deleting a table with the same name during the timing window. This has been classified by the vendor as
having a CVSSv2 score of 4.9 (AV:N/AC:M/AU:S/C:P/I:P/A:N)

CVE-2014-0063: Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x
before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial
of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant
and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than
CVE-2014-0065. This has been classified by the vendor as having a CVSSv2 score of 6.5
(AV:N/AC:L/AU:S/C:P/I:P/A:P)

CVE-2014-0064: Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before
8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote
authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this
identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector. This
has been classified by the vendor as having a CVSSv2 score of 6.5 (AV:N/AC:L/AU:S/C:P/I:P/A:P)

CVE-2014-0065: Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before
9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact
and attack vectors, a different vulnerability than CVE-2014-0063. This has been classified by the vendor as
having a CVSSv2 score of 6.5 (AV:N/AC:L/AU:S/C:P/I:P/A:P)

This bug was opened to address the potential impact on this product.

Conditions:
Device with default configuration.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.