Vulnerability Details : CVE-2014-8910
IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to read arbitrary text files via a crafted XML/XSLT function in a SELECT statement.
Products affected by CVE-2014-8910
- cpe:2.3:a:ibm:db2:9.7:*:*:*:workgroup:*:*:*
- cpe:2.3:a:ibm:db2:9.7:*:*:*:enterprise:*:*:*
- cpe:2.3:a:ibm:db2:9.8:*:*:*:advanced_workgroup:*:*:*
- cpe:2.3:a:ibm:db2:10.1:*:*:*:express:*:*:*
- cpe:2.3:a:ibm:db2:10.5:*:*:*:enterprise:*:*:*
- cpe:2.3:a:ibm:db2:10.5:*:*:*:advanced_enterprise:*:*:*
- cpe:2.3:a:ibm:db2:10.5:*:*:*:advanced_workgroup:*:*:*
- cpe:2.3:a:ibm:db2:9.7:*:*:*:express:*:*:*
- cpe:2.3:a:ibm:db2:9.8:*:*:*:enterprise:*:*:*
- cpe:2.3:a:ibm:db2:9.8:*:*:*:advanced_enterprise:*:*:*
- cpe:2.3:a:ibm:db2:10.5:*:*:*:express:*:*:*
- cpe:2.3:a:ibm:db2:10.5:*:*:*:workgroup:*:*:*
- cpe:2.3:a:ibm:db2:9.7:*:*:*:advanced_enterprise:*:*:*
- cpe:2.3:a:ibm:db2:9.7:*:*:*:advanced_workgroup:*:*:*
- cpe:2.3:a:ibm:db2:10.1:*:*:*:workgroup:*:*:*
- cpe:2.3:a:ibm:db2:10.1:*:*:*:enterprise:*:*:*
- cpe:2.3:a:ibm:db2:9.8:*:*:*:express:*:*:*
- cpe:2.3:a:ibm:db2:9.8:*:*:*:workgroup:*:*:*
- cpe:2.3:a:ibm:db2:10.1:*:*:*:advanced_enterprise:*:*:*
- cpe:2.3:a:ibm:db2:10.1:*:*:*:advanced_workgroup:*:*:*
Threat overview for CVE-2014-8910
Top countries where our scanners detected CVE-2014-8910
Top open port discovered on systems with this issue
523
IPs affected by CVE-2014-8910 25
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2014-8910!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2014-8910
0.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 53 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-8910
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST |
CWE ids for CVE-2014-8910
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8910
-
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06353
IBM IT06353: SECURITY: IBM DB2 contains a file disclosure vulnerability using a SELECT statement with XML/XSLT function (CVE-2014-8910)
-
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06354
IBM IT06354: SECURITY: IBM DB2 contains a file disclosure vulnerability using a SELECT statement with XML/XSLT function (CVE-2014-8910)Vendor Advisory
-
http://www-01.ibm.com/support/docview.wss?uid=swg21697988
IBM Security Bulletin: IBM® DB2® contains a file disclosure vulnerability using a SELECT statement with XML/XSLT function (CVE-2014-8910)Patch;Vendor Advisory
-
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06356
IBM IT06356: SECURITY: IBM DB2 contains a file disclosure vulnerability using a SELECT statement with XML/XSLT function (CVE-2014-8910)
-
http://www.securitytracker.com/id/1032883
IBM DB2 XML/XSLT Function Bug Lets Remote Authenticated Users Read Files on the Target System - SecurityTracker
-
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06355
IBMid - Sign in or create an IBMid
-
http://www.securityfocus.com/bid/75949
Multiple IBM DB2 Products CVE-2014-8910 File Disclosure Vulnerability
Jump to