[ledgersmb-announce] Security announcement for CVE-2018-9246 / PGObject::Util::DBAdmin
This mail is sent to this mailing list because PGObject::Util::DBAdmin itself doesn't have a mailing list to send the disclosure to. We'll update its repository to reflect the announcement below. Please take note of the security advisory below, known as CVE-2018-9246 Nick Prater discovered that the PGObject::Util::DBAdmin insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection. The vulnerability allows an attacker to execute arbitrary code with the same privileges as the running application through the create(), run_file(), backup() and restore() functions. Affected versions: PGObject::Util::DBAdmin versions 0.110.0 and lower. Vulnerability type: Insufficiently sanitized arguments in external program invocation Discoverer: Nick Prater (NP Broadcast LTD) Resolution: Upgrade to PGObject::Util::DBAdmin 0.120.0 or newer. (0.130.0 available on CPAN). Kind regards, -- Bye, Erik. http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.
Please note that all Docker images of versions 1.5.19 and older include the affected component. Administrators are advised to update to 1.5.20 or higher. Regards, Erik. On Thu, Jun 7, 2018 at 12:36 AM, Erik Huelsmann <ehuels@gmail.com> wrote:
This mail is sent to this mailing list because PGObject::Util::DBAdmin itself doesn't have a mailing list to send the disclosure to. We'll update its repository to reflect the announcement below.
Please take note of the security advisory below, known as CVE-2018-9246
Nick Prater discovered that the PGObject::Util::DBAdmin insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection. The vulnerability allows an attacker to execute arbitrary code with the same privileges as the running application through the create(), run_file(), backup() and restore() functions.
Affected versions: PGObject::Util::DBAdmin versions 0.110.0 and lower.
Vulnerability type: Insufficiently sanitized arguments in external program invocation
Discoverer: Nick Prater (NP Broadcast LTD)
Resolution: Upgrade to PGObject::Util::DBAdmin 0.120.0 or newer. (0.130.0 available on CPAN).
Kind regards,
-- Bye,
Erik.
http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.
-- Bye, Erik. http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.
participants (1)
-
Erik Huelsmann