PT-2023-5225 · Ibm · Ibm Db2 Jdbc Driver

Xu Yuanzhen

Published

2023-07-08

Updated

2023-08-03

CVE-2023-27867

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows versions 10.5, 11.1, and 11.5

Description The issue is related to incorrect code generation management in the IBM DB2 JDBC driver, which could allow a remote authenticated attacker to execute arbitrary code. By sending a specially crafted request using the clientRerouteServerListJNDIName property, an attacker could exploit this to execute arbitrary code on the system.

Recommendations For versions 10.5, 11.1, and 11.5, consider disabling the use of the clientRerouteServerListJNDIName property until a patch is available to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

BDU:2023-05833

CVE-2023-27867

Affected Products

Ibm Db2 Jdbc Driver

PT-2023-5225 · Ibm · Ibm Db2 Jdbc Driver

CVE-2023-27867

Weakness Enumeration

Related Identifiers

Affected Products

References · 6