A shell injection flaw was found in pglogical in versions prior to 2.3.4 and prior to 3.6.26. An attacker with CREATEDB privileges on a PostgreSQL server can craft a database name that allows execution of shell commands as the postgresql user when calling pglogical.create_subscription().
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
2ndquadrant pglogical |