First Last Prev Next    This bug is not in your last search results.
Bug 1186121 - (CVE-2021-3515) VUL-0: CVE-2021-3515: pglogical: Shell injection by pglogical users with CREATEDB access
(CVE-2021-3515)
VUL-0: CVE-2021-3515: pglogical: Shell injection by pglogical users with CREA...
Status: IN_PROGRESS
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Development
Leap 42.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/284460/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-17 11:08 UTC by Gianluca Gabrielli
Modified: 2021-05-27 16:04 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-05-17 11:08:38 UTC 
CVE-2021-3515

A flaw was found in pglogical 2.3.3 and earlier, 3.6.25 and earlier. A user having CREATEDB privilege on a PostgreSQL server can craft a database name that allows execution of shell commands as the postgresql user when calling pglogical.create_subscription().

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1954112
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3515
Comment 1 Gianluca Gabrielli 2021-05-17 11:09:27 UTC 
Fixed in REL2.3.4

Upstream patch: https://github.com/2ndQuadrant/pglogical/commit/95c0e8981485e09efab6821cf55a4e27b086efe5
Comment 2 Gianluca Gabrielli 2021-05-17 11:10:14 UTC 
Affected package:

 - server:database:postgresql/pglogical
Comment 3 Reinhard Max 2021-05-27 16:04:59 UTC 
Fixed in the project, but there is nothing to release as it is not on Factory or SLE.
First Last Prev Next    This bug is not in your last search results.