| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2012-4826 |
119 |
|
Exec Code Overflow |
2012-10-20 |
2013-03-01 |
8.5 |
None |
Remote |
Medium |
Single system |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in the SQL/PSM (aka SQL Persistent Stored Module) Stored Procedure (SP) infrastructure in IBM DB2 9.1, 9.5, 9.7 before FP7, 9.8, and 10.1 might allow remote authenticated users to execute arbitrary code by debugging a stored procedure. |
|
2 |
CVE-2012-2197 |
119 |
|
Exec Code Overflow |
2012-07-25 |
2012-07-30 |
7.1 |
None |
Remote |
High |
Single system |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in the Java Stored Procedure infrastructure in IBM DB2 9.1 before FP12, 9.5 through FP9, 9.7 through FP6, 9.8 through FP5, and 10.1 allows remote authenticated users to execute arbitrary code by leveraging certain CONNECT and EXECUTE privileges. |
|
3 |
CVE-2012-2196 |
200 |
|
+Info |
2012-07-25 |
2012-08-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM DB2 9.1 before FP12, 9.5 through FP9, 9.7 through FP6, 9.8 through FP5, and 10.1 allows remote attackers to read arbitrary XML files via the (1) GET_WRAP_CFG_C or (2) GET_WRAP_CFG_C2 stored procedure. |
|
4 |
CVE-2012-2194 |
22 |
|
Dir. Trav. |
2012-07-25 |
2012-07-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Directory traversal vulnerability in the SQLJ.DB2_INSTALL_JAR stored procedure in IBM DB2 9.1 before FP12, 9.5 through FP9, 9.7 through FP6, 9.8 through FP5, and 10.1 allows remote attackers to replace JAR files via unspecified vectors. |
|
5 |
CVE-2012-2180 |
|
|
DoS |
2012-06-20 |
2012-06-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The chaining functionality in the Distributed Relational Database Architecture (DRDA) module in IBM DB2 9.7 before FP6 and 9.8 before FP5 allows remote attackers to cause a denial of service (NULL pointer dereference, and resource consumption or daemon crash) via a crafted request. |
|
6 |
CVE-2012-0713 |
|
|
|
2012-08-24 |
2012-08-24 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
Unspecified vulnerability in the XML feature in IBM DB2 9.7 before FP6 on Linux, UNIX, and Windows allows remote authenticated users to read arbitrary XML files via unknown vectors. |
|
7 |
CVE-2012-0712 |
399 |
|
DoS |
2012-03-20 |
2012-08-13 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
The XML feature in IBM DB2 9.5 before FP9, 9.7 through FP5, and 9.8 through FP4 allows remote authenticated users to cause a denial of service (infinite loop) by calling the XMLPARSE function with a crafted string expression. |
|
8 |
CVE-2012-0711 |
189 |
|
Exec Code Overflow |
2012-03-20 |
2012-08-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Integer signedness error in the db2dasrrm process in the DB2 Administration Server (DAS) in IBM DB2 9.1 through FP11, 9.5 before FP9, and 9.7 through FP5 on UNIX platforms allows remote attackers to execute arbitrary code via a crafted request that triggers a heap-based buffer overflow. |
|
9 |
CVE-2012-0710 |
20 |
|
DoS |
2012-03-20 |
2012-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM DB2 9.1 before FP11, 9.5 before FP9, 9.7 before FP5, and 9.8 before FP4 allows remote attackers to cause a denial of service (daemon crash) via a crafted Distributed Relational Database Architecture (DRDA) request. |
|
10 |
CVE-2012-0709 |
20 |
|
Bypass |
2012-03-20 |
2012-08-13 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM DB2 9.5 before FP9, 9.7 through FP5, and 9.8 through FP4 does not properly check variables, which allows remote authenticated users to bypass intended restrictions on viewing table data by leveraging the CREATEIN privilege to execute crafted SQL CREATE VARIABLE statements. |
|
11 |
CVE-2011-1847 |
264 |
|
|
2011-05-03 |
2012-01-26 |
4.9 |
None |
Remote |
Medium |
Single system |
None |
Partial |
Partial |
|
IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly enforce privilege requirements for table access, which allows remote authenticated users to modify SYSSTAT.TABLES statistics columns via an UPDATE statement. NOTE: some of these details are obtained from third party information. |
|
12 |
CVE-2011-1846 |
264 |
|
|
2011-05-03 |
2012-01-26 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly revoke role membership from groups, which allows remote authenticated users to execute non-DDL statements by leveraging previous inherited possession of a role, a different vulnerability than CVE-2011-0757. NOTE: some of these details are obtained from third party information. |
|
13 |
CVE-2011-0757 |
264 |
|
|
2011-02-02 |
2012-01-26 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
IBM DB2 9.1 before FP10, 9.5 before FP6a, and 9.7 before FP2 on Linux, UNIX, and Windows does not properly revoke the DBADM authority, which allows remote authenticated users to execute non-DDL statements by leveraging previous possession of this authority. |
|
14 |
CVE-2011-0731 |
119 |
|
Exec Code Overflow |
2011-02-01 |
2012-01-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in the DB2 Administration Server (DAS) component in IBM DB2 9.1 before FP10, 9.5 before FP7, and 9.7 before FP3 on Linux, UNIX, and Windows allows remote attackers to execute arbitrary code via unspecified vectors. |
|
15 |
CVE-2010-3475 |
264 |
|
Bypass |
2010-09-20 |
2012-01-26 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
IBM DB2 9.7 before FP3 does not properly enforce privilege requirements for execution of entries in the dynamic SQL cache, which allows remote authenticated users to bypass intended access restrictions by leveraging the cache to execute an UPDATE statement contained in a compiled compound SQL statement. |
|
16 |
CVE-2010-3474 |
264 |
|
Bypass |
2010-09-20 |
2012-01-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
IBM DB2 9.7 before FP3 does not perform the expected drops or invalidations of dependent functions upon a loss of privileges by the functions' owners, which allows remote authenticated users to bypass intended access restrictions via calls to these functions, a different vulnerability than CVE-2009-3471. |
|
17 |
CVE-2010-3197 |
264 |
|
+Info |
2010-08-31 |
2012-01-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM DB2 9.7 before FP2 does not perform the expected access control on the monitor administrative views in the SYSIBMADM schema, which allows remote attackers to obtain sensitive information via unspecified vectors. |
|
18 |
CVE-2010-3196 |
264 |
|
DoS |
2010-08-31 |
2012-01-26 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
None |
Partial |
|
IBM DB2 9.7 before FP2, when AUTO_REVAL is IMMEDIATE, allows remote authenticated users to cause a denial of service (loss of privileges) to a view owner by defining a dependent view. |
|
19 |
CVE-2010-3195 |
|
|
DoS |
2010-08-31 |
2012-01-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 on Windows Server 2008 allows attackers to cause a denial of service (trap) via vectors involving "special group and user enumeration." |
|
20 |
CVE-2010-3194 |
264 |
|
Bypass |
2010-08-31 |
2012-01-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The DB2DART program in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 allows attackers to bypass intended file access restrictions via unspecified vectors related to overwriting files owned by an instance owner. |
|
21 |
CVE-2010-3193 |
|
|
|
2010-08-31 |
2012-01-26 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in the DB2STST program in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 has unknown impact and attack vectors. |
|
22 |
CVE-2010-0462 |
119 |
|
Overflow |
2010-01-28 |
2012-01-26 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 allows remote authenticated users to have an unspecified impact via a SELECT statement that has a long column name generated with the REPEAT function. |
|
23 |
CVE-2009-4438 |
264 |
|
|
2009-12-28 |
2010-06-29 |
6.5 |
User |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
The Query Compiler, Rewrite, and Optimizer component in IBM DB2 9.1 before FP8, 9.5 before FP5, and 9.7 before FP1 does not enforce privilege requirements for access to a (1) sequence or (2) global-variable object, which allows remote authenticated users to make use of data via unspecified vectors. |
|
24 |
CVE-2009-4334 |
264 |
|
DoS |
2009-12-16 |
2010-06-29 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Self Tuning Memory Manager (STMM) component in IBM DB2 9.1 before FP8, 9.5 before FP5, and 9.7 before FP1 uses 0666 permissions for the STMM log file, which allows local users to cause a denial of service or have unspecified other impact by writing to this file. |
|
25 |
CVE-2009-4332 |
|
|
DoS |
2009-12-16 |
2010-06-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
db2pd in the Problem Determination component in IBM DB2 9.1 before FP7 and 9.5 before FP5 allows attackers to cause a denial of service (NULL pointer dereference and application termination) via unspecified vectors. |
|
26 |
CVE-2009-4331 |
264 |
|
|
2009-12-16 |
2010-10-07 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Install component in IBM DB2 9.5 before FP5 and 9.7 before FP1 configures the High Availability (HA) scripts with incorrect file-permission and authorization settings, which has unknown impact and local attack vectors. |
|
27 |
CVE-2009-4327 |
20 |
|
DoS |
2009-12-16 |
2010-06-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Common Code Infrastructure component in IBM DB2 9.5 before FP5 and 9.7 before FP1 does not properly validate the size of a memory pool during a creation attempt, which allows attackers to cause a denial of service (memory consumption) via unspecified vectors. |
|
28 |
CVE-2009-4326 |
200 |
|
+Info |
2009-12-16 |
2010-06-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The RAND scalar function in the Common Code Infrastructure component in IBM DB2 9.5 before FP5 and 9.7 before FP1, when the Database Partitioning Feature (DPF) is used, produces "repeating" return values, which might allow attackers to defeat protection mechanisms based on randomization by predicting a value. |
|
29 |
CVE-2009-4325 |
20 |
|
|
2009-12-16 |
2010-06-29 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
The Client Interfaces component in IBM DB2 8.2 before FP18, 9.1 before FP8, 9.5 before FP5, and 9.7 before FP1 does not validate an unspecified pointer, which allows attackers to overwrite "external memory" via unknown vectors, related to a missing "check for null pointers." |
|
30 |
CVE-2009-4150 |
264 |
|
|
2009-12-02 |
2009-12-07 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
dasauto in IBM DB2 8 before FP18, 9.1 before FP8, 9.5 before FP4, and 9.7 before FP1 permits execution by unprivileged user accounts, which has unspecified impact and local attack vectors. |
