#VU58797 Information disclosure in IBM DB2 - CVE-2021-29752

Cybersecurity Help s.r.o.

Published: 2021-12-09

Vulnerability identifier: #VU58797

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-29752

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM DB2
Server applications / Database software

Vendor: IBM Corporation

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to exposure of remote storage credentials to privileged users. A remote authenticated user can gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

IBM DB2: 11.1 FP1 - 11.1.4.6, 11.5 - 11.5.6.0

External links
https://www.ibm.com/support/pages/node/6489489
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-exposing-remote-storage-credentials-to-privileged-users-under-specific-conditions-cve-2021-29752-4/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM DB2