CVE-2018-9246

Published: Jun 8, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection via the create(), run_file(), backup(), or restore() function. The vulnerability allows unauthorized users to execute code with the same privileges as the running application.

Affected (2)

Products: Pgobject Util Dbadmin Project: Pgobject Util Dbadmin · Ledgersmb: Ledgersmb

Pgobject Util Dbadmin Project

1 product

Pgobject Util Dbadmin

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pgobject Util Dbadmin Project Pgobject Util Dbadmin	Before 0.120.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Ledgersmb Ledgersmb	From 1.5.0 to 1.5.21

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (2)

https://archive.ledgersmb.org/ledger-smb-announce/msg00280.html

Source: cve@mitre.org

Vendor Advisory

https://archive.ledgersmb.org/ledger-smb-announce/msg00280.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.