IBM Db2 code execution
CVE-2023-27859

6.5MEDIUM

Key Information:

Vendor
IBM
Status
Db2 For Linux, Unix And Windows
Vendor
CVE Published:
22 January 2024

Summary

IBM Db2 versions 10.1, 10.5, and 11.1 are susceptible to a vulnerability that allows for the execution of arbitrary code by a remote user. This issue arises from the incorrect management of similarly named jar files across different databases. An attacker can exploit this flaw by inserting a malicious jar file that replaces an existing jar file of the same name in another database, enabling them to execute harmful commands remotely. Organizations using these Db2 versions must take action to mitigate this risk by ensuring that their systems are configured properly and that necessary updates are applied.

Affected Version(s)

Db2 for Linux, UNIX and Windows 10.5, 11.1 ,11.5

References

https://www.ibm.com/support/pages/node/7105503
vendor-advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/249205
vdb-entry
https://security.netapp.com/advisory/ntap-20240307-0002/

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.