DescriptionThe PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection via the create(), run_file(), backup(), or restore() function. The vulnerability allows unauthorized users to execute code with the same privileges as the running application.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs900942

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libpgobject-util-dbadmin-perl (PTS)stretch0.100.0-1vulnerable
buster, sid0.130.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[stretch] - libpgobject-util-dbadmin-perl <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems