National Cyber Awareness System

Vulnerability Summary for CVE-2006-2314

Overview

PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-dependent attackers to bypass SQL injection protection methods in applications that use multibyte encodings that allow the "\" (backslash) byte 0x5c to be the trailing byte of a multibyte character, such as SJIS, BIG5, GBK, GB18030, and UHC, which cannot be handled correctly by a client that does not understand multibyte encodings, aka a second variant of "Encoding-Based SQL Injection." NOTE: it could be argued that this is a class of issue related to interaction errors between the client and PostgreSQL, but a CVE has been assigned since PostgreSQL is treating this as a preventative measure against this class of problem.

Impact

CVSS Severity (version 2.0 upgrade from v1.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: MLIST

Name: [pgsql-announce] 20060523 Security Releases for All Active Versions

Type: Patch Information

Hyperlink:http://archives.postgresql.org/pgsql-announce/2006-05/msg00010.php

External Source: VUPEN

Name: ADV-2006-1941

Hyperlink:http://www.vupen.com/english/advisories/2006/1941

External Source: CONFIRM

Name: http://www.postgresql.org/docs/techdocs.50

Hyperlink:http://www.postgresql.org/docs/techdocs.50

External Source: OVAL

Name: oval:org.mitre.oval:def:9947

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:9947

External Source: XF

Name: postgresql-ascii-sql-injection(26628)

Hyperlink:http://xforce.iss.net/xforce/xfdb/26628

External Source: XF

Name: postgresql-multibyte-sql-injection(26627)

Hyperlink:http://xforce.iss.net/xforce/xfdb/26627

External Source: UBUNTU

Name: USN-288-1

Hyperlink:http://www.ubuntulinux.org/support/documentation/usn/usn-288-1

External Source: UBUNTU

Name: USN-288-3

Hyperlink:http://www.ubuntu.com/usn/usn-288-3

External Source: UBUNTU

Name: USN-288-2

Hyperlink:http://www.ubuntu.com/usn/usn-288-2

External Source: TRUSTIX

Name: 2006-0032

Hyperlink:http://www.trustix.org/errata/2006/0032/

External Source: BID

Name: 18092

Hyperlink:http://www.securityfocus.com/bid/18092

External Source: BUGTRAQ

Name: 20060524 rPSA-2006-0080-1 postgresql postgresql-server

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/435161/100/0/threaded

External Source: BUGTRAQ

Name: 20060523 PostgreSQL security releases 8.1.4, 8.0.8, 7.4.13, 7.3.15

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/435038/100/0/threaded

External Source: REDHAT

Name: RHSA-2006:0526

Hyperlink:http://www.redhat.com/support/errata/RHSA-2006-0526.html

External Source: OSVDB

Name: 25731

Hyperlink:http://www.osvdb.org/25731

External Source: SUSE

Name: SUSE-SR:2006:021

Hyperlink:http://www.novell.com/linux/security/advisories/2006_21_sr.html

External Source: MANDRIVA

Name: MDKSA-2006:098

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2006:098

External Source: DEBIAN

Name: DSA-1087

Hyperlink:http://www.debian.org/security/2006/dsa-1087

External Source: CONFIRM

Name: http://support.avaya.com/elmodocs2/security/ASA-2006-113.htm

Hyperlink:http://support.avaya.com/elmodocs2/security/ASA-2006-113.htm

External Source: SECTRACK

Name: 1016142

Hyperlink:http://securitytracker.com/id?1016142

External Source: GENTOO

Name: GLSA-200607-04

Hyperlink:http://security.gentoo.org/glsa/glsa-200607-04.xml

External Source: SECUNIA

Name: 21749

Hyperlink:http://secunia.com/advisories/21749

External Source: SECUNIA

Name: 21001

Hyperlink:http://secunia.com/advisories/21001

External Source: SECUNIA

Name: 20782

Hyperlink:http://secunia.com/advisories/20782

External Source: SECUNIA

Name: 20653

Hyperlink:http://secunia.com/advisories/20653

External Source: SECUNIA

Name: 20555

Hyperlink:http://secunia.com/advisories/20555

External Source: SECUNIA

Name: 20503

Hyperlink:http://secunia.com/advisories/20503

External Source: SECUNIA

Name: 20451

Hyperlink:http://secunia.com/advisories/20451

External Source: SECUNIA

Name: 20435

Hyperlink:http://secunia.com/advisories/20435

External Source: SECUNIA

Name: 20314

Hyperlink:http://secunia.com/advisories/20314

External Source: SECUNIA

Name: 20232

Hyperlink:http://secunia.com/advisories/20232

External Source: SECUNIA

Name: 20231

Hyperlink:http://secunia.com/advisories/20231

External Source: SUSE

Name: SUSE-SA:2006:030

Hyperlink:http://lists.suse.com/archive/suse-security-announce/2006-Jun/0002.html

External Source: SGI

Name: 20060602-01-U

Hyperlink:ftp://patches.sgi.com/support/free/security/advisories/20060602-01-U.asc

References to Check Content

Identifier:oval:org.mitre.oval:def:9947

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:9947