Bug 1186121 - (CVE-2021-3515) VUL-0: CVE-2021-3515: pglogical: Shell injection by pglogical users with CREATEDB access
VUL-0: CVE-2021-3515: pglogical: Shell injection by pglogical users with CREA...
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Development
Leap 42.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-05-17 11:08 UTC by Gianluca Gabrielli
Modified: 2021-05-27 16:04 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-05-17 11:08:38 UTC

A flaw was found in pglogical 2.3.3 and earlier, 3.6.25 and earlier. A user having CREATEDB privilege on a PostgreSQL server can craft a database name that allows execution of shell commands as the postgresql user when calling pglogical.create_subscription().

Comment 1 Gianluca Gabrielli 2021-05-17 11:09:27 UTC
Fixed in REL2.3.4

Upstream patch: https://github.com/2ndQuadrant/pglogical/commit/95c0e8981485e09efab6821cf55a4e27b086efe5
Comment 2 Gianluca Gabrielli 2021-05-17 11:10:14 UTC
Affected package:

 - server:database:postgresql/pglogical
Comment 3 Reinhard Max 2021-05-27 16:04:59 UTC
Fixed in the project, but there is nothing to release as it is not on Factory or SLE.