The Trigger plugin in bcfg2 1.2.x before 1.2.3 allows remote attackers with
root access to the client to execute arbitrary commands via shell
metacharacters in the UUID field to the server process (bcfg2-server).
This is very similar to a flaw discovered last year in a large number of other
plugins; this instance was not fixed at that time because Trigger uses a
different method to invoke external shell commands, and because Trigger
previously hid all errors from trigger scripts, so tests did not find the
issue. As a side effect of this change, Trigger will begin reporting errors
from triggered scripts.
This only affects the Trigger plugin; if you are not using Trigger, you are
not affected by this flaw. As a workaround, you can disable Trigger until you
are able to upgrade."