CPANSA-PGObject-Util-DBAdmin-2018-01: PGObject-Util-DBAdmin vulnerability

Publisher giterlizzi Document category csaf_security_advisory
Initial release date 2018-06-18T00:00:00 Engine CSAF Perl Toolkit 0.25
Current release date 2018-06-18T00:00:00 Build Date
Current version 1 Status final
CVSS v3.1 Base Score 9.8 Severity
Original language Language en
Also referred to

Vulnerability Description

The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection via the create(), run_file(), backup(), or restore() function. The vulnerability allows unauthorized users to execute code with the same privileges as the running application.

Vulnerabilities

CVE-2018-9246

Vulnerability Description

The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection via the create(), run_file(), backup(), or restore() function. The vulnerability allows unauthorized users to execute code with the same privileges as the running application.

Weakness CWE-116 : Improper Encoding or Escaping of Output

Product status

Known affected
Product Score
PGObject-Util-DBAdmin less than 1.6.0
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 Critical
2.0 AV:N/AC:L/Au:N/C:P/I:P/A:P 7.5 High
Fixed

giterlizzi

Namespace: https://github.com/giterlizzi/

gdt@cpan.org

References

Revision history

Version Date of the revision Summary of the revision
1 Mon Jun 18 00:00:00 2018 First release

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/