CVE-2021-3515

Name of the Vulnerable Software and Affected Versions pglogical versions before 2.3.4 pglogical versions before 3.6.26

Description The issue is related to a lack of input data sanitization in the pglogical system, which can be exploited to gain access to confidential data, compromise data integrity, and cause a denial of service. An attacker with CREATEDB privileges on a PostgreSQL server can craft a database name to execute shell commands as the postgresql user when calling pglogical.create subscription().

Recommendations For versions before 2.3.4, update to version 2.3.4 or later. For versions before 3.6.26, update to version 3.6.26 or later. As a temporary workaround, consider restricting the CREATEDB privileges on the PostgreSQL server to minimize the risk of exploitation. Avoid using the pglogical.create subscription() function with untrusted database names until the issue is resolved.