When configuring the CFME appliance with an internal database with a password, passwords which contain shell commands may be invoked.
This issue is not a security vulnerability as the database password would be controlled by the database admin, who can simply modify the database to cause arbitrary code execution anyways, so no trust boundary is violated.