CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

IBM » DB2 : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-8901 399 DoS 2014-12-18 2014-12-18
4.0
None Remote Low Single system None None Partial
IBM DB2 9.5 through FP10, 9.7 through FP10, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP5 allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted XML query.
2 CVE-2014-6210 20 DoS 2014-12-12 2014-12-15
4.0
None Remote Low Single system None None Partial
IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP5 on Linux, UNIX, and Windows allows remote authenticated users to cause a denial of service (daemon crash) by specifying the same column within multiple ALTER TABLE statements.
3 CVE-2014-6209 20 DoS 2014-12-12 2014-12-15
4.0
None Remote Low Single system None None Partial
IBM DB2 9.5 through FP10, 9.7 through FP10, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP5 on Linux, UNIX, and Windows allows remote authenticated users to cause a denial of service (daemon crash) by specifying an identity column within a crafted ALTER TABLE statement.
4 CVE-2014-6159 20 DoS 2014-11-08 2014-12-02
3.5
None Remote Medium Single system None None Partial
IBM DB2 9.7 before FP10, 9.8 through FP5, 10.1 through FT4, and 10.5 through FP4 on Linux, UNIX, and Windows, when immediate AUTO_REVAL is enabled, allows remote authenticated users to cause a denial of service (daemon crash) via a crafted ALTER TABLE statement.
5 CVE-2014-6097 20 DoS 2014-11-08 2014-11-10
4.0
None Remote Low Single system None None Partial
IBM DB2 9.7 before FP10 and 9.8 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to cause a denial of service (daemon crash) via a crafted ALTER TABLE statement.
6 CVE-2014-4805 200 +Info 2014-09-04 2014-09-04
2.1
None Local Low Not required Partial None None
IBM DB2 10.5 before FP4 on Linux and AIX creates temporary files during CDE table LOAD operations, which allows local users to obtain sensitive information by reading a file while a LOAD is occurring.
7 CVE-2014-3095 20 DoS 2014-09-04 2014-09-13
3.5
None Remote Medium Single system None None Partial
The SQL engine in IBM DB2 9.5 through FP10, 9.7 through FP9a, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP4 on Linux, UNIX, and Windows allows remote authenticated users to cause a denial of service (daemon crash) via a crafted UNION clause in a subquery of a SELECT statement.
8 CVE-2014-3094 119 Exec Code Overflow 2014-09-04 2014-09-13
8.5
None Remote Medium Single system Complete Complete Complete
Stack-based buffer overflow in IBM DB2 9.7 through FP9a, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP4 on Linux, UNIX, and Windows allows remote authenticated users to execute arbitrary code via a crafted ALTER MODULE statement.
9 CVE-2014-0907 +Priv 2014-05-30 2014-09-04
7.2
Admin Local Low Not required Complete Complete Complete
Multiple untrusted search path vulnerabilities in unspecified (1) setuid and (2) setgid programs in IBM DB2 9.5, 9.7 before FP9a, 9.8, 10.1 before FP3a, and 10.5 before FP3a on Linux and UNIX allow local users to gain root privileges via a Trojan horse library.
10 CVE-2013-6744 264 +Priv 2014-05-30 2014-06-24
8.5
User Remote Medium Single system Complete Complete Complete
The Stored Procedure infrastructure in IBM DB2 9.5, 9.7 before FP9a, 10.1 before FP3a, and 10.5 before FP3a on Windows allows remote authenticated users to gain privileges by leveraging the CONNECT privilege and the CREATE_EXTERNAL_ROUTINE authority.
11 CVE-2013-6717 DoS 2013-12-19 2014-02-06
4.0
None Remote Low Single system None None Partial
The OLAP query engine in IBM DB2 and DB2 Connect 9.7 through FP9, 9.8 through FP5, 10.1 through FP3, and 10.5 through FP2, and the DB2 pureScale Feature 9.8 for Enterprise Server Edition, allows remote authenticated users to cause a denial of service (database outage and deactivation) via unspecified vectors.
12 CVE-2013-5466 DoS 2013-12-18 2013-12-19
4.0
None Remote Low Single system None None Partial
The XSLT library in IBM DB2 and DB2 Connect 9.5 through 10.5, and the DB2 pureScale Feature 9.8 for Enterprise Server Edition, allows remote authenticated users to cause a denial of service via unspecified vectors.
13 CVE-2013-4033 264 2013-08-28 2013-09-05
4.6
None Remote High Single system Partial Partial Partial
IBM DB2 and DB2 Connect 9.7 through FP8, 9.8 through FP5, 10.1 through FP2, and 10.5 through FP1 allow remote authenticated users to execute DML statements by leveraging EXPLAIN authority.
14 CVE-2013-4032 20 DoS 2013-10-02 2013-10-08
5.0
None Remote Low Not required None None Partial
The Fast Communications Manager (FCM) in IBM DB2 Enterprise Server Edition and Advanced Enterprise Server Edition 10.1 before FP3 and 10.5, when a multi-node configuration is used, allows remote attackers to cause a denial of service via vectors involving arbitrary data.
15 CVE-2013-3475 119 Overflow +Priv 2013-06-04 2013-06-05
7.2
None Local Low Not required Complete Complete Complete
Stack-based buffer overflow in db2aud in the Audit Facility in IBM DB2 and DB2 Connect 9.1, 9.5, 9.7, 9.8, and 10.1, as used in Smart Analytics System 7600 and other products, allows local users to gain privileges via unspecified vectors.
16 CVE-2012-4826 119 Exec Code Overflow 2012-10-20 2013-03-01
8.5
None Remote Medium Single system Complete Complete Complete
Stack-based buffer overflow in the SQL/PSM (aka SQL Persistent Stored Module) Stored Procedure (SP) infrastructure in IBM DB2 9.1, 9.5, 9.7 before FP7, 9.8, and 10.1 might allow remote authenticated users to execute arbitrary code by debugging a stored procedure.
17 CVE-2012-3324 22 Dir. Trav. 2012-09-25 2012-09-26
9.0
None Remote Low Single system Complete Complete Complete
Directory traversal vulnerability in the UTL_FILE module in IBM DB2 and DB2 Connect 10.1 before FP1 on Windows allows remote authenticated users to modify, delete, or read arbitrary files via a pathname in the file field.
18 CVE-2012-2197 119 Exec Code Overflow 2012-07-25 2012-07-30
7.1
None Remote High Single system Complete Complete Complete
Stack-based buffer overflow in the Java Stored Procedure infrastructure in IBM DB2 9.1 before FP12, 9.5 through FP9, 9.7 through FP6, 9.8 through FP5, and 10.1 allows remote authenticated users to execute arbitrary code by leveraging certain CONNECT and EXECUTE privileges.
19 CVE-2012-2196 200 +Info 2012-07-25 2012-08-01
5.0
None Remote Low Not required Partial None None
IBM DB2 9.1 before FP12, 9.5 through FP9, 9.7 through FP6, 9.8 through FP5, and 10.1 allows remote attackers to read arbitrary XML files via the (1) GET_WRAP_CFG_C or (2) GET_WRAP_CFG_C2 stored procedure.
20 CVE-2012-2194 22 Dir. Trav. 2012-07-25 2012-07-25
5.0
None Remote Low Not required None Partial None
Directory traversal vulnerability in the SQLJ.DB2_INSTALL_JAR stored procedure in IBM DB2 9.1 before FP12, 9.5 through FP9, 9.7 through FP6, 9.8 through FP5, and 10.1 allows remote attackers to replace JAR files via unspecified vectors.
21 CVE-2012-2180 DoS 2012-06-20 2012-06-20
4.3
None Remote Medium Not required None None Partial
The chaining functionality in the Distributed Relational Database Architecture (DRDA) module in IBM DB2 9.7 before FP6 and 9.8 before FP5 allows remote attackers to cause a denial of service (NULL pointer dereference, and resource consumption or daemon crash) via a crafted request.
22 CVE-2012-1797 264 2012-03-20 2012-08-13
10.0
None Remote Low Not required Complete Complete Complete
IBM DB2 9.5 uses world-writable permissions for nodes.reg, which has unspecified impact and attack vectors.
23 CVE-2012-1796 +Priv 2012-03-20 2012-08-13
7.2
None Local Low Not required Complete Complete Complete
Unspecified vulnerability in IBM Tivoli Monitoring Agent (ITMA), as used in IBM DB2 9.5 before FP9 on UNIX, allows local users to gain privileges via unknown vectors.
24 CVE-2012-0713 2012-08-24 2012-08-24
3.5
None Remote Medium Single system Partial None None
Unspecified vulnerability in the XML feature in IBM DB2 9.7 before FP6 on Linux, UNIX, and Windows allows remote authenticated users to read arbitrary XML files via unknown vectors.
25 CVE-2012-0712 399 DoS 2012-03-20 2012-08-13
4.0
None Remote Low Single system None None Partial
The XML feature in IBM DB2 9.5 before FP9, 9.7 through FP5, and 9.8 through FP4 allows remote authenticated users to cause a denial of service (infinite loop) by calling the XMLPARSE function with a crafted string expression.
26 CVE-2012-0711 189 Exec Code Overflow 2012-03-20 2012-08-13
7.5
None Remote Low Not required Partial Partial Partial
Integer signedness error in the db2dasrrm process in the DB2 Administration Server (DAS) in IBM DB2 9.1 through FP11, 9.5 before FP9, and 9.7 through FP5 on UNIX platforms allows remote attackers to execute arbitrary code via a crafted request that triggers a heap-based buffer overflow.
27 CVE-2012-0710 20 DoS 2012-03-20 2012-08-13
5.0
None Remote Low Not required None None Partial
IBM DB2 9.1 before FP11, 9.5 before FP9, 9.7 before FP5, and 9.8 before FP4 allows remote attackers to cause a denial of service (daemon crash) via a crafted Distributed Relational Database Architecture (DRDA) request.
28 CVE-2012-0709 20 Bypass 2012-03-20 2012-08-13
4.0
None Remote Low Single system Partial None None
IBM DB2 9.5 before FP9, 9.7 through FP5, and 9.8 through FP4 does not properly check variables, which allows remote authenticated users to bypass intended restrictions on viewing table data by leveraging the CREATEIN privilege to execute crafted SQL CREATE VARIABLE statements.
29 CVE-2011-4061 +Priv 2011-10-17 2012-02-13
6.9
None Local Medium Not required Complete Complete Complete
Multiple untrusted search path vulnerabilities in (1) db2rspgn and (2) kbbacf1 in IBM DB2 Express Edition 9.7, as used in the IBM Tivoli Monitoring for Databases: DB2 Agent, allow local users to gain privileges via a Trojan horse libkbb.so in the current working directory, related to the DT_RPATH ELF header.
30 CVE-2011-1847 264 2011-05-03 2012-01-26
4.9
None Remote Medium Single system None Partial Partial
IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly enforce privilege requirements for table access, which allows remote authenticated users to modify SYSSTAT.TABLES statistics columns via an UPDATE statement. NOTE: some of these details are obtained from third party information.
31 CVE-2011-1846 264 2011-05-03 2012-01-26
6.5
None Remote Low Single system Partial Partial Partial
IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly revoke role membership from groups, which allows remote authenticated users to execute non-DDL statements by leveraging previous inherited possession of a role, a different vulnerability than CVE-2011-0757. NOTE: some of these details are obtained from third party information.
32 CVE-2011-1373 DoS 2011-11-09 2012-01-26
1.5
None Local Medium Single system None None Partial
Unspecified vulnerability in IBM DB2 9.7 before FP5 on UNIX, when the Self Tuning Memory Manager (STMM) feature and the AUTOMATIC DATABASE_MEMORY setting are configured, allows local users to cause a denial of service (daemon crash) via unknown vectors.
33 CVE-2011-0757 264 2011-02-02 2012-01-26
6.5
None Remote Low Single system Partial Partial Partial
IBM DB2 9.1 before FP10, 9.5 before FP6a, and 9.7 before FP2 on Linux, UNIX, and Windows does not properly revoke the DBADM authority, which allows remote authenticated users to execute non-DDL statements by leveraging previous possession of this authority.
34 CVE-2011-0731 119 Exec Code Overflow 2011-02-01 2012-01-26
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the DB2 Administration Server (DAS) component in IBM DB2 9.1 before FP10, 9.5 before FP7, and 9.7 before FP3 on Linux, UNIX, and Windows allows remote attackers to execute arbitrary code via unspecified vectors.
35 CVE-2010-3740 399 DoS 2010-10-05 2012-01-26
4.0
None Remote Low Single system None None Partial
The Net Search Extender (NSE) implementation in the Text Search component in IBM DB2 UDB 9.5 before FP6a does not properly handle an alphanumeric Fuzzy search, which allows remote authenticated users to cause a denial of service (memory consumption and system hang) via the db2ext.textSearch function.
36 CVE-2010-3738 264 Exec Code 2010-10-05 2012-01-26
5.0
None Remote Low Not required None Partial None
The Security component in IBM DB2 UDB 9.5 before FP6a logs AUDIT events by using a USERID and an AUTHID value corresponding to the instance owner, instead of a USERID and an AUTHID value corresponding to the logged-in user account, which makes it easier for remote authenticated users to execute Audit administration commands without discovery.
37 CVE-2010-3737 399 DoS 2010-10-05 2012-01-26
3.5
None Remote Medium Single system None None Partial
Memory leak in the Relational Data Services component in IBM DB2 UDB 9.5 before FP6a allows remote authenticated users to cause a denial of service (heap memory consumption) by executing a (1) user-defined function (UDF) or (2) stored procedure while using a different code page than the database server.
38 CVE-2010-3736 399 DoS 2010-10-05 2012-01-26
4.0
None Remote Low Single system None None Partial
Memory leak in the Relational Data Services component in IBM DB2 UDB 9.5 before FP6a, when the connection concentrator is enabled, allows remote authenticated users to cause a denial of service (heap memory consumption) by using a different code page than the database server.
39 CVE-2010-3735 399 DoS 2010-10-05 2012-01-26
2.1
None Remote High Single system None None Partial
The "Query Compiler, Rewrite, Optimizer" component in IBM DB2 UDB 9.5 before FP6a allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted query involving certain UNION ALL views, leading to an indefinitely large amount of compilation time.
40 CVE-2010-3734 264 2010-10-05 2012-01-26
5.0
None Remote Low Not required None Partial None
The Install component in IBM DB2 UDB 9.5 before FP6a on Linux, UNIX, and Windows enforces an unintended limit on password length, which makes it easier for attackers to obtain access via a brute-force attack.
41 CVE-2010-3733 264 +Priv 2010-10-05 2012-01-26
7.2
None Local Low Not required Complete Complete Complete
The Engine Utilities component in IBM DB2 UDB 9.5 before FP6a uses world-writable permissions for the sqllib/cfg/db2sprf file, which might allow local users to gain privileges by modifying this file.
42 CVE-2010-3732 20 DoS 2010-10-05 2012-01-26
3.5
None Remote Medium Single system None None Partial
The DRDA Services component in IBM DB2 UDB 9.5 before FP6a allows remote authenticated users to cause a denial of service (database server ABEND) by using the client CLI on Linux, UNIX, or Windows for executing a prepared statement with a large number of parameter markers.
43 CVE-2010-3731 119 Exec Code Overflow 2010-10-05 2012-01-26
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in the validateUser implementation in the com.ibm.db2.das.core.DasSysCmd function in db2dasrrm in the DB2 Administration Server (DAS) component in IBM DB2 9.1 before FP10, 9.5 before FP6a, and 9.7 before FP3 allows remote attackers to execute arbitrary code via a long username string.
44 CVE-2010-3475 264 Bypass 2010-09-20 2012-01-26
4.0
None Remote Low Single system None Partial None
IBM DB2 9.7 before FP3 does not properly enforce privilege requirements for execution of entries in the dynamic SQL cache, which allows remote authenticated users to bypass intended access restrictions by leveraging the cache to execute an UPDATE statement contained in a compiled compound SQL statement.
45 CVE-2010-3474 264 Bypass 2010-09-20 2012-01-26
5.0
None Remote Low Not required None Partial None
IBM DB2 9.7 before FP3 does not perform the expected drops or invalidations of dependent functions upon a loss of privileges by the functions' owners, which allows remote authenticated users to bypass intended access restrictions via calls to these functions, a different vulnerability than CVE-2009-3471.
46 CVE-2010-3197 264 +Info 2010-08-31 2012-01-26
5.0
None Remote Low Not required Partial None None
IBM DB2 9.7 before FP2 does not perform the expected access control on the monitor administrative views in the SYSIBMADM schema, which allows remote attackers to obtain sensitive information via unspecified vectors.
47 CVE-2010-3196 264 DoS 2010-08-31 2012-01-26
3.5
None Remote Medium Single system None None Partial
IBM DB2 9.7 before FP2, when AUTO_REVAL is IMMEDIATE, allows remote authenticated users to cause a denial of service (loss of privileges) to a view owner by defining a dependent view.
48 CVE-2010-3195 DoS 2010-08-31 2012-01-26
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 on Windows Server 2008 allows attackers to cause a denial of service (trap) via vectors involving "special group and user enumeration."
49 CVE-2010-3194 264 Bypass 2010-08-31 2012-01-26
7.5
None Remote Low Not required Partial Partial Partial
The DB2DART program in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 allows attackers to bypass intended file access restrictions via unspecified vectors related to overwriting files owned by an instance owner.
50 CVE-2010-3193 2010-08-31 2012-01-26
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the DB2STST program in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 has unknown impact and attack vectors.
Total number of vulnerabilities : 104   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.