Red Hat Bugzilla – Bug 846503
CVE-2012-3460 cumin: postgresql database user created without password
Last modified: 2015-02-06 18:09:09 EST
Florian Weimer reported that, when Cumin is installed, it creates a "cumin" PostgreSQL user and changes pg_hba.conf so that no password is required for authentication. This could be used to bypass role separation in Cumin; for instance in a setup where condor_schedd runs on the same machine as Cumin and a regular Cumin user could submit a job that connects to the PostgreSQL database and alters the database in such a way as to give the regular user administrative privileges.