Candidate: CVE-2018-9246 PublicDate: 2018-06-08 01:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9246 Description: The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection via the create(), run_file(), backup(), or restore() function. The vulnerability allows unauthorized users to execute code with the same privileges as the running application. Ubuntu-Description: Notes: Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900942 Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL] Patches_libpgobject-util-dbadmin-perl: other: https://github.com/ledgersmb/PGObject-Util-DBAdmin/commit/2c25c3dbc8b832a657247d3ea63ae80f3c5df6b1 other: https://github.com/ledgersmb/PGObject-Util-DBAdmin/commit/f4e684008ca9e182833a70793ae91288d2c80218 other: https://github.com/ledgersmb/PGObject-Util-DBAdmin/commit/dc48d0e1af0dbf861779b2c781e0f4c612c22cfb upstream_libpgobject-util-dbadmin-perl: needs-triage precise/esm_libpgobject-util-dbadmin-perl: DNE trusty_libpgobject-util-dbadmin-perl: DNE trusty/esm_libpgobject-util-dbadmin-perl: DNE xenial_libpgobject-util-dbadmin-perl: DNE artful_libpgobject-util-dbadmin-perl: ignored (reached end-of-life) bionic_libpgobject-util-dbadmin-perl: needs-triage cosmic_libpgobject-util-dbadmin-perl: ignored (reached end-of-life) disco_libpgobject-util-dbadmin-perl: not-affected (0.130.1-1) eoan_libpgobject-util-dbadmin-perl: not-affected (0.130.1-1) focal_libpgobject-util-dbadmin-perl: not-affected (0.130.1-1) groovy_libpgobject-util-dbadmin-perl: not-affected (0.130.1-1) hirsute_libpgobject-util-dbadmin-perl: not-affected (0.130.1-1) impish_libpgobject-util-dbadmin-perl: not-affected (0.130.1-1) jammy_libpgobject-util-dbadmin-perl: not-affected (0.130.1-1) devel_libpgobject-util-dbadmin-perl: not-affected (0.130.1-1)