Vulnerability Name: CVE-2020-4739 (CCN-188149) Assigned: 2019-12-30 Published: 2020-11-19 Updated: 2020-12-03 Summary: IBM DB2 Accessories Suite for Linux, UNIX, and Windows, DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. By placing a specially crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 188149. CVSS v3 Severity: 7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-426 Vulnerability Consequences: Gain Privileges References: Source: MITRECVE-2020-4739 ibm-db2-cve20204739-code-exec(188149) ibm-db2-cve20204739-code-exec (188149) IBM Db2 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) https://www.ibm.com/support/pages/node/6370023 Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Contract Management Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Program Management Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Emptoris Supplier Lifecycle Mgmt Multiple IBM DB2 Server Vulnerabilities Affect IBM Emptoris Sourcing Multiple Vulnerabilities have been identified in IBM Db2 shipped with IBM StoredIQ for Legal IBM Db2 Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2 IBM Db2 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) Vulnerabilities in IBM Db2 affect the IBM Spectrum Protect Server (CVE-2020-4701, CVE-2020-4739) Multiple vulnerabilities in IBM DB2 affect the IBM Intelligent Operations Center (CVE-2020-4701, CVE-2020-4739) Multiple vulnerabilities has been identified in IBM DB2 shipped with IBM PureData System for Operational Analytics Vulnerable Configuration: Configuration 1 :cpe:/a:ibm:db2:9.7.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.1.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:db2:10.5.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:db2:11.1.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:db2:*:*:*:*:*:*:*:* (Version >= 11.5 and < 11.5.5.0) AND cpe:/o:microsoft:windows:-:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:ibm:db2:10.5:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:10.5:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:10.5:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:10.1:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:10.1:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:10.1:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:9.7:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:9.7:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:9.7:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:windows:*:* AND cpe:/a:ibm:emptoris_sourcing:10.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_sourcing:10.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_contract_management:10.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_sourcing:10.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_contract_management:10.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_contract_management:10.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:intelligent_operations_center:5.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:intelligent_operations_center:5.1.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:intelligent_operations_center:5.1.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:intelligent_operations_center:5.1.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:intelligent_operations_center:5.1.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:db2:9.7:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:9.7:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:9.7:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:10.1:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:10.1:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:10.1:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:10.5:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:10.5:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:10.5:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:windows:*:* OR cpe:/a:ibm:emptoris_program_management:10.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_program_management:10.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_program_management:10.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_supplier_lifecycle_management:10.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_supplier_lifecycle_management:10.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_supplier_lifecycle_management:10.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_strategic_supply_management:10.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_strategic_supply_management:10.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_strategic_supply_management:10.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:intelligent_operations_center:5.2:*:*:*:*:*:*:* OR cpe:/a:ibm:intelligent_operations_center:5.2.1:*:*:*:*:*:*:* BACK
ibm db2 9.7.0.0
ibm db2 10.1.0.0
ibm db2 10.5.0.0
ibm db2 11.1.0.0
ibm db2 *
microsoft windows -
ibm db2 10.5
ibm db2 10.5
ibm db2 10.5
ibm db2 10.1
ibm db2 10.1
ibm db2 10.1
ibm db2 9.7
ibm db2 9.7
ibm db2 9.7
ibm db2 11.1
ibm db2 11.1
ibm db2 11.1
ibm db2 11.5
ibm db2 11.5
ibm db2 11.5
ibm emptoris sourcing 10.1.0
ibm emptoris sourcing 10.1.1
ibm emptoris contract management 10.1.0
ibm emptoris sourcing 10.1.3
ibm emptoris contract management 10.1.1
ibm emptoris contract management 10.1.3
ibm intelligent operations center 5.1.0
ibm intelligent operations center 5.1.0.2
ibm intelligent operations center 5.1.0.3
ibm intelligent operations center 5.1.0.4
ibm intelligent operations center 5.1.0.6
ibm db2 9.7
ibm db2 9.7
ibm db2 9.7
ibm db2 10.1
ibm db2 10.1
ibm db2 10.1
ibm db2 10.5
ibm db2 10.5
ibm db2 10.5
ibm db2 11.1
ibm db2 11.1
ibm db2 11.1
ibm db2 11.5
ibm db2 11.5
ibm db2 11.5
ibm emptoris program management 10.1.0
ibm emptoris program management 10.1.1
ibm emptoris program management 10.1.3
ibm emptoris supplier lifecycle management 10.1.0
ibm emptoris supplier lifecycle management 10.1.1
ibm emptoris supplier lifecycle management 10.1.3
ibm emptoris strategic supply management 10.1.0
ibm emptoris strategic supply management 10.1.1
ibm emptoris strategic supply management 10.1.3
ibm intelligent operations center 5.2
ibm intelligent operations center 5.2.1
Denotes that component is vulnerable