CVE-2019-4447

CWE-4273 documents3 sources

Severity

7.8HIGH

EPSS

0.0%

top 89.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM DB2 High Performance Unload Load FOR LUW IBM DB2 High Performance Unload Load

Timeline

PublishedAug 26

Latest updateMay 24

Description

IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2 db2hpum_debug is a setuid root binary which trusts the PATH environment variable. A low privileged user can execute arbitrary commands as root by altering the PATH variable to point to a user controlled location. When a crash is induced the trojan gdb command is executed. IBM X-Force ID: 163488.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDibm/db2_high_performance_unload_load6.1, 6.1.0.1, 6.1.0.2+2

▶CVEListV5ibm/db2_high_performance_unload_load_for_luw6 versions+5

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-jrvj-hjx2-hc4m: IBM DB2 High Performance Unload load for LUW 6↗2022-05-24

▶

CVEList

CVE-2019-4447: IBM DB2 High Performance Unload load for LUW 6↗2019-08-26

▶