A flaw was found in pglogical 2.3.3 and earlier, 3.6.25 and earlier. A user having CREATEDB privilege on a PostgreSQL server can craft a database name that allows execution of shell commands as the postgresql user when calling pglogical.create_subscription().
Red Hat CloudForms do not ship pglogical 5.11 onward, thus CFME is not affected to the flaw. The rubygem-pg-pglogical (https://github.com/ManageIQ/pg-pglogical) is different than rh-postgresql95-postgresql-pglogical (https://github.com/2ndQuadrant/pglogical) package.
Name: Pedro Gallegos
Official release note: https://github.com/2ndQuadrant/pglogical/commit/086651fcb97de643b02befa838c426c632021f03
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):