Strix
26.1K

CVE-2006-2314

UnknownEPSS 2.79%

Last modified

CVE-2006-2314 is a vulnerability of currently unknown severity. PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-dependent attackers to bypass SQL injection protection methods in applications that use multibyte encodings that allow the "\" (backslash) byte 0x5c to be the trailing byte of a multibyte character, such as SJIS, BIG5, GBK, GB18030, and UHC, which cannot be handled correctly by a client that does not understand multibyte encodings, aka a second variant of "Encoding-Based SQL Injection." NOTE: it could be argued that this is a class of issue related to interaction errors between the client and PostgreSQL, but a CVE has been assigned since PostgreSQL is treating this as a preventative measure against this class of problem.. EPSS estimates a 2.79% chance of exploitation in the next 30 days.

Description

PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-dependent attackers to bypass SQL injection protection methods in applications that use multibyte encodings that allow the "\" (backslash) byte 0x5c to be the trailing byte of a multibyte character, such as SJIS, BIG5, GBK, GB18030, and UHC, which cannot be handled correctly by a client that does not understand multibyte encodings, aka a second variant of "Encoding-Based SQL Injection." NOTE: it could be argued that this is a class of issue related to interaction errors between the client and PostgreSQL, but a CVE has been assigned since PostgreSQL is treating this as a preventative measure against this class of problem.

Metrics

EPSS Probability
2.79%

84.6th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersions
PostgresqlPostgresql7.3
PostgresqlPostgresql7.3.1
PostgresqlPostgresql7.3.2
PostgresqlPostgresql7.3.3
PostgresqlPostgresql7.3.4
PostgresqlPostgresql7.3.5
PostgresqlPostgresql7.3.6
PostgresqlPostgresql7.3.7
PostgresqlPostgresql7.3.8
PostgresqlPostgresql7.3.9
PostgresqlPostgresql7.3.10
PostgresqlPostgresql7.3.11
PostgresqlPostgresql7.3.12
PostgresqlPostgresql7.3.13
PostgresqlPostgresql7.3.14
PostgresqlPostgresql7.4
PostgresqlPostgresql7.4.1
PostgresqlPostgresql7.4.2
PostgresqlPostgresql7.4.3
PostgresqlPostgresql7.4.4
PostgresqlPostgresql7.4.5
PostgresqlPostgresql7.4.6
PostgresqlPostgresql7.4.7
PostgresqlPostgresql7.4.8
PostgresqlPostgresql7.4.9
PostgresqlPostgresql7.4.10
PostgresqlPostgresql7.4.11
PostgresqlPostgresql7.4.12
PostgresqlPostgresql8.0
PostgresqlPostgresql8.0.1
PostgresqlPostgresql8.0.2
PostgresqlPostgresql8.0.3
PostgresqlPostgresql8.0.4
PostgresqlPostgresql8.0.5
PostgresqlPostgresql8.0.6
PostgresqlPostgresql8.0.7
PostgresqlPostgresql8.1
PostgresqlPostgresql8.1.1
PostgresqlPostgresql8.1.2
PostgresqlPostgresql8.1.3

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2006-2314?
PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-dependent attackers to bypass SQL injection protection methods in applications that use multibyte encodings that allow the "\" (backslash) byte 0x5c to be the trailing byte of a multibyte character, such as SJIS, BIG5, GBK, GB18030, and UHC, which cannot be handled correctly by a client that does not understand multibyte encodings, aka a second variant of "Encoding-Based SQL Injection." NOTE: it could be argued that this is a class of issue related to interaction errors between the client and PostgreSQL, but a CVE has been assigned since PostgreSQL is treating this as a preventative measure against this class of problem.
How severe is CVE-2006-2314?
Severity scoring for CVE-2006-2314 is pending analysis. The EPSS model estimates a 2.79% probability of exploitation in the next 30 days.
How do I fix CVE-2006-2314?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2006-2314?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST