OSVDB ID: 25731 Title: PostgreSQL Single Quote Escaping Filter Bypass |
Info |
|
|
Dates |
||||
|
|
Description |
PostgreSQL contains a flaw that may allow a malicious user to bypass security restrictions and execute arbitrary SQL commands. The issue is triggered due to an error when escaping ASCII single quote "'" characters (by turning them into "\'") and operating in multibyte encodings (e.g. SJIS, BIG5, GBK, GB18030, or UHC) that allow using the "0x5c" ASCII code (backslash) as the trailing byte of a multibyte character. It is possible that the flaw may allow SQL injection attacks resulting in a loss of confidentiality and integrity. |
Classification |
Location:
Remote / Network Access
Attack Type: Input Manipulation Impact: Loss of Confidentiality, Loss of Integrity Exploit: Exploit Rumored Disclosure: OSVDB Verified, Vendor Verified |
Solution |
Upgrade to version 7.3.15, 7.4.13, 8.0.8, 8.1.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. |
Products |
|
Credit |
Unknown or Incomplete |