Vulnerability Name:

CVE-2009-3472 (CCN-53629)

Assigned:2009-05-28
Published:2009-05-28
Updated:2009-10-14
Summary:IBM DB2 8 before FP18, 9.1 before FP8, and 9.5 before FP4 allows remote authenticated users to bypass intended access restrictions, and update, insert, or delete table rows, via unspecified vectors.
CVSS v3 Severity:4.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
4.8 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
6.0 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P)
4.4 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2009-3472

Source: OSVDB
Type: UNKNOWN
58478

Source: CCN
Type: SA36890
IBM DB2 Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
36890

Source: AIXAPAR
Type: UNKNOWN
IZ50074

Source: CCN
Type: IBM Support & downloads
IZ50074: SECURITY: USER WITHOUT SUFFICIENT PRIVILEGE COULD INSERT, UPDATEOR DELETE ROWS IN A TABLE.

Source: AIXAPAR
Type: UNKNOWN
IZ50078

Source: AIXAPAR
Type: UNKNOWN
IZ50079

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21386689

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21403619

Source: CCN
Type: OSVDB ID: 58478
IBM DB2 Universal Database Unspecified Remote Access Restriction Bypass

Source: BID
Type: UNKNOWN
36540

Source: CCN
Type: BID-36540
IBM DB2 Multiple Unspecified Security Vulnerabilities

Source: XF
Type: UNKNOWN
db2-unspecified-security-bypass(53629)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:db2:8.0:fp1:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp10:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp11:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp12:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp13:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp14:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp15:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp16:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp17:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp2:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp3:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp4:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp5:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp6:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp7:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp8:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:8.0:fp9:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.1:fp1:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.1:fp2:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.1:fp3:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.1:fp4:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.1:fp5:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.1:fp6:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.1:fp7:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.5:fp1:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.5:fp2:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2:9.5:fp3:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:db2_universal_database:9.1:fp4:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_universal_database:9.1:fp3:aix:*:*:*:*:*
  • OR cpe:/a:ibm:db2_universal_database:9.1::fp2:*:*:*:*:*
  • OR cpe:/a:ibm:db2_universal_database:8.0:fp14:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_universal_database:8.0:fp13:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_universal_database:8.0:fp9:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_universal_database:9.5:fp1:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_universal_database:9.5:fp2:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_universal_database:9.5:fp3:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm db2 8.0 fp1
    ibm db2 8.0 fp10
    ibm db2 8.0 fp11
    ibm db2 8.0 fp12
    ibm db2 8.0 fp13
    ibm db2 8.0 fp14
    ibm db2 8.0 fp15
    ibm db2 8.0 fp16
    ibm db2 8.0 fp17
    ibm db2 8.0 fp2
    ibm db2 8.0 fp3
    ibm db2 8.0 fp4
    ibm db2 8.0 fp5
    ibm db2 8.0 fp6
    ibm db2 8.0 fp7
    ibm db2 8.0 fp8
    ibm db2 8.0 fp9
    ibm db2 9.1 fp1
    ibm db2 9.1 fp2
    ibm db2 9.1 fp3
    ibm db2 9.1 fp4
    ibm db2 9.1 fp5
    ibm db2 9.1 fp6
    ibm db2 9.1 fp7
    ibm db2 9.5 fp1
    ibm db2 9.5 fp2
    ibm db2 9.5 fp3
    ibm db2 universal database 9.1 fp4
    ibm db2 universal database 9.1 fp3
    ibm db2 universal database 9.1
    ibm db2 universal database 8.0 fp14
    ibm db2 universal database 8.0 fp13
    ibm db2 universal database 8.0 fp9
    ibm db2 universal database 9.5 fp1
    ibm db2 universal database 9.5 fp2
    ibm db2 universal database 9.5 fp3