A flaw was found in pglogical 2.3.3 and earlier, 3.6.25 and earlier. A user having CREATEDB privilege on a PostgreSQL server can craft a database name that allows execution of shell commands as the postgresql user when calling pglogical.create_subscription().
Red Hat CloudForms do not ship pglogical 5.11 onward, thus CFME is not affected to the flaw. The rubygem-pg-pglogical (https://github.com/ManageIQ/pg-pglogical) is different than rh-postgresql95-postgresql-pglogical (https://github.com/2ndQuadrant/pglogical) package. cloudforms_managementengine:5.10/rh-postgresql95-postgresql-pglogical-2.1.0-4.el7cf cloudforms_managementengine:5.10/cfme-gemset-0:5.10.15.1-1.el7cf:rubygem-pg-pglogical-2.1.2 cloudforms_managementengine:5.11/cfme-gemset:rubygem-pg-pglogical-2.1.3
Acknowledgments: Name: Pedro Gallegos
Official release note: https://github.com/2ndQuadrant/pglogical/commit/086651fcb97de643b02befa838c426c632021f03
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3515