CPANSA-PGObject-Util-DBAdmin-2018-01: PGObject-Util-DBAdmin vulnerability

Publisher	giterlizzi	Document category	csaf_security_advisory
Initial release date	2018-06-18T00:00:00	Engine	CSAF Perl Toolkit 0.25
Current release date	2018-06-18T00:00:00	Build Date
Current version	1	Status	final
CVSS v3.1 Base Score	9.8	Severity
Original language		Language	en
Also referred to

Vulnerability Description

The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection via the create(), run_file(), backup(), or restore() function. The vulnerability allows unauthorized users to execute code with the same privileges as the running application.

Vulnerabilities

CVE-2018-9246

Vulnerability Description

Weakness	CWE-116 : Improper Encoding or Escaping of Output

Product status

Known affected

Product

Score

PGObject-Util-DBAdmin less than 1.6.0

CVSS Version	CVSS Vector	CVSS Base Score	CVSS Base Severity
3.0	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	9.8	Critical
2.0	AV:N/AC:L/Au:N/C:P/I:P/A:P	7.5	High

Fixed

PGObject-Util-DBAdmin greater than or equal 1.6.0

giterlizzi

Namespace: https://github.com/giterlizzi/

gdt@cpan.org

References

CPANSA-PGObject-Util-DBAdmin-2018-01 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2018/cpansa-pgobject-util-dbadmin-2018-01.json
https://archive.ledgersmb.org/ledger-smb-announce/msg00280.html external
https://archive.ledgersmb.org/ledger-smb-announce/msg00280.html
CVE-2018-9246 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2018-9246

Revision history

Version	Date of the revision	Summary of the revision
1	Mon Jun 18 00:00:00 2018	First release

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/