Vulnerability Details : CVE-2017-1520
IBM DB2 9.7, 10,1, 10.5, and 11.1 is vulnerable to an unauthorized command that allows the database to be activated when authentication type is CLIENT. IBM X-Force ID: 129830.
Vulnerability category: BypassGain privilege
Products affected by CVE-2017-1520
- cpe:2.3:a:ibm:db2:9.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.9:a:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.5.0.3:a:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.5.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.5.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.5.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:10.1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:9.7.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2:11.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:10.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:9.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:10.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:9.7.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:9.7.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:9.7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:9.7.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:9.7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:9.7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:9.7.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:9.7.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:9.7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:10.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:10.5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:10.1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:10.1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:10.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:10.1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:10.5.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:11.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:10.5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:10.5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:10.5.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:10.1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:10.5.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:9.7.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:db2_connect:9.7.0.11:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-1520
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-1520
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
3.7
|
LOW | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
2.2
|
1.4
|
NIST |
CWE ids for CVE-2017-1520
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-1520
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/129830
IBM DB2 improper access CVE-2017-1520 Vulnerability ReportVendor Advisory
-
http://www.securitytracker.com/id/1039308
IBM DB2 CLIENT Authentication Flaw Lets Remote Users Activate the Target Database - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.ibm.com/support/docview.wss?uid=swg22007186
IBM Security Bulletin: IBM® Db2® is vulnerable to an unauthorized command that allows the database to be activated when authentication type is CLIENT (CVE-2017-1520)Patch;Vendor Advisory
-
http://www.securityfocus.com/bid/100684
IBM DB2 CVE-2017-1520 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
Jump to