PT-2025-47897 · Ibm+1 · Ibm Db2+1
Ryotak
·
Published
2025-11-24
·
Updated
2025-11-24
·
CVE-2025-12740
CVSS v4.0
7.7
High
| Vector | AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Red |
Name of the Vulnerable Software and Affected Versions
Looker versions prior to 25.0.93
Looker versions prior to 25.6.84
Looker versions prior to 25.12.42
Looker versions prior to 25.14.50
Looker versions prior to 25.16.44
Description
A user with a Developer role can create a database connection using the IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command. This is due to insufficient filtering of the driver’s parameters. This issue affects both Looker-hosted and self-hosted instances. The issue has been mitigated for Looker-hosted instances and does not require user action.
Recommendations
Upgrade self-hosted instances to version 25.0.93 or later.
Upgrade self-hosted instances to version 25.6.84 or later.
Upgrade self-hosted instances to version 25.12.42 or later.
Upgrade self-hosted instances to version 25.14.50 or later.
Upgrade self-hosted instances to version 25.16.44 or later.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ibm Db2
Looker