CVE-2017-1677Deserialization of Untrusted Data in IBM DB2

CWE-502Deserialization of Untrusted Data3 documents3 sources
Severity
7.8HIGHNVD
CNA7.4
EPSS
0.2%
top 62.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
IBM DB2
Timeline
PublishedMar 22
Latest updateMay 14

Description

IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on the classpath. IBM X-Force ID: 133999.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

NVDibm/db24 versions+3

🔴Vulnerability Details

2
GHSA
GHSA-2cm6-r3gm-8w87: IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and Windows 92022-05-14
CVEList
CVE-2017-1677: IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and Windows 92018-03-22
CVE-2017-1677 — Deserialization of Untrusted Data | cvebase