CVE-2018-9246

The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection via the create(), run_file(), backup(), or restore() function. The vulnerability allows unauthorized users to execute code with the same privileges as the running application.

References

https://archive.ledgersmb.org/ledger-smb-announce/msg00280.html

Affected packages

Git / github.com/ledgersmb/ledgersmb

Affected ranges

Type

GIT

Repo

https://github.com/ledgersmb/ledgersmb

Events

Introduced

5fb87569525daa80b39f08bd61dfaf041dca6519

Last affected

c2ee0db96e188ed39d60d34a604ee1cb1d6bfb28

Database specific

{
    "versions": [
        {
            "introduced": "1.5.0"
        },
        {
            "last_affected": "1.5.21"
        }
    ]
}

Type

GIT

Repo

https://github.com/ledgersmb/pgobject-util-dbadmin

Events

Introduced

Fixed

d811aea33a911072ab7de74195f3cd9f2867db67

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.120.0"
        }
    ]
}

Affected versions

1.*

1.5.0

1.5.1

1.5.10

1.5.11

1.5.12

1.5.13

1.5.14

1.5.15

1.5.16

1.5.17

1.5.18

1.5.19

1.5.2

1.5.20

1.5.21

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

v0.*

v0.100.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-9246.json"