CVE-2006-2314

Description

PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-dependent attackers to bypass SQL injection protection methods in applications that use multibyte encodings that allow the "\" (backslash) byte 0x5c to be the trailing byte of a multibyte character, such as SJIS, BIG5, GBK, GB18030, and UHC, which cannot be handled correctly by a client that does not understand multibyte encodings, aka a second variant of "Encoding-Based SQL Injection." NOTE: it could be argued that this is a class of issue related to interaction errors between the client and PostgreSQL, but a CVE has been assigned since PostgreSQL is treating this as a preventative measure against this class of problem.

7.5

CVSS

Severity: High

CVSS 2.0 •

EPSS 2.20% Top 20%

Vendor Advisory gentoo.org Vendor Advisory suse.com Vendor Advisory redhat.com Vendor Advisory trustix.org Vendor Advisory sgi.com Vendor Advisory ubuntu.com Vendor Advisory mandriva.com Vendor Advisory novell.com Vendor Advisory ubuntu.com Vendor Advisory ubuntu.com Vendor Advisory debian.org

Affected: n/a n/a

References

Link	Tags
https://exchange.xforce.ibmcloud.com/vulnerabilities/26628	vdb entry
http://security.gentoo.org/glsa/glsa-200607-04.xml	vendor advisory
http://secunia.com/advisories/20435	third party advisory
http://www.securityfocus.com/bid/18092	vdb entry
http://secunia.com/advisories/20503	third party advisory
http://secunia.com/advisories/20451	third party advisory
http://secunia.com/advisories/21001	third party advisory
http://www.postgresql.org/docs/techdocs.50
http://secunia.com/advisories/20231	third party advisory
http://secunia.com/advisories/20653	third party advisory
http://lists.suse.com/archive/suse-security-announce/2006-Jun/0002.html	vendor advisory
http://secunia.com/advisories/21749	third party advisory
http://www.osvdb.org/25731	vdb entry
http://secunia.com/advisories/20782	third party advisory
http://www.redhat.com/support/errata/RHSA-2006-0526.html	vendor advisory
http://www.trustix.org/errata/2006/0032/	vendor advisory
ftp://patches.sgi.com/support/free/security/advisories/20060602-01-U.asc	vendor advisory
http://www.vupen.com/english/advisories/2006/1941	vdb entry
http://www.securityfocus.com/archive/1/435161/100/0/threaded	mailing list
http://secunia.com/advisories/20232	third party advisory
http://www.securityfocus.com/archive/1/435038/100/0/threaded	mailing list
https://usn.ubuntu.com/288-1/	vendor advisory
http://www.mandriva.com/security/advisories?name=MDKSA-2006:098	vendor advisory
http://www.novell.com/linux/security/advisories/2006_21_sr.html	vendor advisory
http://support.avaya.com/elmodocs2/security/ASA-2006-113.htm
https://exchange.xforce.ibmcloud.com/vulnerabilities/26627	vdb entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9947	vdb entry signature
http://secunia.com/advisories/20555	third party advisory
http://archives.postgresql.org/pgsql-announce/2006-05/msg00010.php	mailing list patch
http://securitytracker.com/id?1016142	vdb entry
http://www.ubuntu.com/usn/usn-288-3	vendor advisory
http://www.ubuntu.com/usn/usn-288-2	vendor advisory
http://secunia.com/advisories/20314	third party advisory
http://www.debian.org/security/2006/dsa-1087	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2006-2314?: CVE-2006-2314 has been scored as a high severity vulnerability.
How to fix CVE-2006-2314?: To fix CVE-2006-2314, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2006-2314 being actively exploited in the wild?: It is possible that CVE-2006-2314 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.