CVE-2022-43927 : IBM Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 is vulnerable to information Disclosure due to improper privile

IBM Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 is vulnerable to information Disclosure due to improper privilege management when a specially crafted table access is used. IBM X-Force ID: 241671.

Published 2023-02-17 17:15:11

Updated 2023-06-27 13:33:25

Source IBM Corporation

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2022-43927

Probability of exploitation activity in the next 30 days: 0.11%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 43 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-43927

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	IBM Corporation
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2022-43927

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: psirt@us.ibm.com (Secondary)
CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-43927

https://www.ibm.com/support/pages/node/6953759

Security Bulletin: IBM® Db2® is vulnerable to an information disclosure vulnerabilitiy due to improper privilege management when a specially crafted table access is used. (CVE-2022-43927)
Patch;Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/241671

IBM Db2 for Linux, UNIX and Windows information disclosure CVE-2022-43927 Vulnerability Report
VDB Entry;Vendor Advisory

Products affected by CVE-2022-43927

IBM » DB2 » Version: 10.5 For Linux
cpe:2.3:a:ibm:db2:10.5:*:*:*:*:linux:*:*
Matching versions
When used together with: HP » Hp-ux » Version: N/A
When used together with: IBM » AIX » Version: N/A
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
When used together with: Oracle » Solaris » Version: N/A
IBM » DB2 » Version: 10.5 For Windows
cpe:2.3:a:ibm:db2:10.5:*:*:*:*:windows:*:*
Matching versions
When used together with: HP » Hp-ux » Version: N/A
When used together with: IBM » AIX » Version: N/A
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
When used together with: Oracle » Solaris » Version: N/A
IBM » DB2 » Version: 11.1 For Linux
cpe:2.3:a:ibm:db2:11.1:*:*:*:*:linux:*:*
Matching versions
When used together with: HP » Hp-ux » Version: N/A
When used together with: IBM » AIX » Version: N/A
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
When used together with: Oracle » Solaris » Version: N/A
IBM » DB2 » Version: 11.1 For Windows
cpe:2.3:a:ibm:db2:11.1:*:*:*:*:windows:*:*
Matching versions
When used together with: HP » Hp-ux » Version: N/A
When used together with: IBM » AIX » Version: N/A
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
When used together with: Oracle » Solaris » Version: N/A
IBM » DB2 » Version: 11.5 For Linux
cpe:2.3:a:ibm:db2:11.5:*:*:*:*:linux:*:*
Matching versions
When used together with: HP » Hp-ux » Version: N/A
When used together with: IBM » AIX » Version: N/A
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
When used together with: Oracle » Solaris » Version: N/A
IBM » DB2 » Version: 11.5 For Windows
cpe:2.3:a:ibm:db2:11.5:*:*:*:*:windows:*:*
Matching versions
When used together with: HP » Hp-ux » Version: N/A
When used together with: IBM » AIX » Version: N/A
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
When used together with: Oracle » Solaris » Version: N/A
IBM » DB2 » Version: 10.5 For Unix
cpe:2.3:a:ibm:db2:10.5:*:*:*:*:unix:*:*
Matching versions
When used together with: HP » Hp-ux » Version: N/A
When used together with: IBM » AIX » Version: N/A
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
When used together with: Oracle » Solaris » Version: N/A
IBM » DB2 » Version: 11.1 For Unix
cpe:2.3:a:ibm:db2:11.1:*:*:*:*:unix:*:*
Matching versions
When used together with: HP » Hp-ux » Version: N/A
When used together with: IBM » AIX » Version: N/A
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
When used together with: Oracle » Solaris » Version: N/A
IBM » DB2 » Version: 11.5 For Unix
cpe:2.3:a:ibm:db2:11.5:*:*:*:*:unix:*:*
Matching versions
When used together with: HP » Hp-ux » Version: N/A
When used together with: IBM » AIX » Version: N/A
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
When used together with: Oracle » Solaris » Version: N/A

Vulnerability Details : CVE-2022-43927

Exploit prediction scoring system (EPSS) score for CVE-2022-43927

CVSS scores for CVE-2022-43927

CWE ids for CVE-2022-43927

References for CVE-2022-43927

Products affected by CVE-2022-43927