A shell injection flaw was found in pglogical in versions before 2.3.4 and before 3.6.26. An attacker with CREATEDB privileges on a PostgreSQL server can craft a database name that allows execution of shell commands as the postgresql user when calling pglogical.create_subscription().
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1954112 | Issue Tracking Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2021-06-01T13:31:40
Updated: 2021-06-01T13:31:40
Reserved: 2021-04-27T00:00:00
Link: CVE-2021-3515
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-06-01T14:15:10.337
Modified: 2022-10-07T20:46:13.593
Link: CVE-2021-3515
JSON object: View
Redhat Information
No data.