CVE-2014-8910

IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to read arbitrary text files via a crafted XML/XSLT function in a SELECT statement.

CVSS v2.0 4.0 MEDIUM

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06353
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06354	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06355
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06356
http://www-01.ibm.com/support/docview.wss?uid=swg21697988	Patch Vendor Advisory
http://www.securityfocus.com/bid/75949
http://www.securitytracker.com/id/1032883

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:db2:9.7::::advanced_enterprise:::
	cpe:2.3:a:ibm:db2:9.7::::advanced_workgroup:::
	cpe:2.3:a:ibm:db2:9.7::::enterprise:::
	cpe:2.3:a:ibm:db2:9.7::::express:::
	cpe:2.3:a:ibm:db2:9.7::::workgroup:::
	cpe:2.3:a:ibm:db2:9.8::::advanced_enterprise:::
	cpe:2.3:a:ibm:db2:9.8::::advanced_workgroup:::
	cpe:2.3:a:ibm:db2:9.8::::enterprise:::
	cpe:2.3:a:ibm:db2:9.8::::express:::
	cpe:2.3:a:ibm:db2:9.8::::workgroup:::
	cpe:2.3:a:ibm:db2:10.1::::advanced_enterprise:::
	cpe:2.3:a:ibm:db2:10.1::::advanced_workgroup:::
	cpe:2.3:a:ibm:db2:10.1::::enterprise:::
	cpe:2.3:a:ibm:db2:10.1::::express:::
	cpe:2.3:a:ibm:db2:10.1::::workgroup:::
	cpe:2.3:a:ibm:db2:10.5::::advanced_enterprise:::
	cpe:2.3:a:ibm:db2:10.5::::advanced_workgroup:::
	cpe:2.3:a:ibm:db2:10.5::::enterprise:::
	cpe:2.3:a:ibm:db2:10.5::::express:::
	cpe:2.3:a:ibm:db2:10.5::::workgroup:::

History

No history.

Information

Published : 2015-07-20 01:59

Updated : 2017-09-22 01:29

NVD link : CVE-2014-8910

Mitre link : CVE-2014-8910

CVE.ORG link : CVE-2014-8910

JSON object : View

Products Affected

ibm

db2

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2014-8910", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-07-20T01:59:00.080", "references": [{"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IT06353", "source": "psirt@us.ibm.com"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IT06354", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IT06355", "source": "psirt@us.ibm.com"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IT06356", "source": "psirt@us.ibm.com"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21697988", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "http://www.securityfocus.com/bid/75949", "source": "psirt@us.ibm.com"}, {"url": "http://www.securitytracker.com/id/1032883", "source": "psirt@us.ibm.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to read arbitrary text files via a crafted XML/XSLT function in a SELECT statement."}, {"lang": "es", "value": "Vulnerabilidad en IBM DB2 9.7 a trav\u00e9s de FP10, 9.8 a trav\u00e9s de FP5, 10.1 anterior a FP5 y 10.5 a trav\u00e9s de FP5 en Linux, UNIX y Windows permite a usuarios remotos autenticados leer archivos de texto arbitarios a trav\u00e9s de una funci\u00f3n XML/XSLT en una sentencia SELECT manipulada."}], "lastModified": "2017-09-22T01:29:01.203", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:db2:9.7:*:*:*:advanced_enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "3D9E7D2A-42B9-4D07-A107-BBD839E59858"}, {"criteria": "cpe:2.3:a:ibm:db2:9.7:*:*:*:advanced_workgroup:*:*:*", "vulnerable": true, "matchCriteriaId": "FD27164C-7554-46E1-B755-27C74D2EC3B7"}, {"criteria": "cpe:2.3:a:ibm:db2:9.7:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "F199F7B4-F273-4D45-AE08-7B5DAE6E0794"}, {"criteria": "cpe:2.3:a:ibm:db2:9.7:*:*:*:express:*:*:*", "vulnerable": true, "matchCriteriaId": "ACEB3F4A-6411-4456-9B89-A43562189BD3"}, {"criteria": "cpe:2.3:a:ibm:db2:9.7:*:*:*:workgroup:*:*:*", "vulnerable": true, "matchCriteriaId": "1749B7DC-08BB-474B-BA5A-52602459C8EC"}, {"criteria": "cpe:2.3:a:ibm:db2:9.8:*:*:*:advanced_enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "025FA405-0FD2-4B19-8FA4-15581085BD15"}, {"criteria": "cpe:2.3:a:ibm:db2:9.8:*:*:*:advanced_workgroup:*:*:*", "vulnerable": true, "matchCriteriaId": "F425C545-39CD-483C-97A3-BE0DC3EE63DB"}, {"criteria": "cpe:2.3:a:ibm:db2:9.8:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "6A6A7680-D883-414F-965B-1D6136760CA5"}, {"criteria": "cpe:2.3:a:ibm:db2:9.8:*:*:*:express:*:*:*", "vulnerable": true, "matchCriteriaId": "76107CFE-EB32-4AF6-9AF9-F16238F9C671"}, {"criteria": "cpe:2.3:a:ibm:db2:9.8:*:*:*:workgroup:*:*:*", "vulnerable": true, "matchCriteriaId": "7D1225B0-DBFF-4A13-93CB-1B64AF9ACE47"}, {"criteria": "cpe:2.3:a:ibm:db2:10.1:*:*:*:advanced_enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "2ECC11D3-7D77-4823-8B34-DD76E131D74C"}, {"criteria": "cpe:2.3:a:ibm:db2:10.1:*:*:*:advanced_workgroup:*:*:*", "vulnerable": true, "matchCriteriaId": "E1D36687-32AF-43E2-97D9-FDF602F89318"}, {"criteria": "cpe:2.3:a:ibm:db2:10.1:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "DD80ADF4-35D3-4534-AACD-C00D80870723"}, {"criteria": "cpe:2.3:a:ibm:db2:10.1:*:*:*:express:*:*:*", "vulnerable": true, "matchCriteriaId": "8D274B00-C986-4A5D-94B2-79F4A613D951"}, {"criteria": "cpe:2.3:a:ibm:db2:10.1:*:*:*:workgroup:*:*:*", "vulnerable": true, "matchCriteriaId": "67A935CA-7AF6-4DA9-958E-DF4BC8E2B3BF"}, {"criteria": "cpe:2.3:a:ibm:db2:10.5:*:*:*:advanced_enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "A6B1A4DC-7062-4349-8D1A-3DE4B0E68FC8"}, {"criteria": "cpe:2.3:a:ibm:db2:10.5:*:*:*:advanced_workgroup:*:*:*", "vulnerable": true, "matchCriteriaId": "B3681F43-F23B-413D-B871-A40821F4988B"}, {"criteria": "cpe:2.3:a:ibm:db2:10.5:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "AE645126-ECD0-40FB-B2BA-5C9EF33EBE69"}, {"criteria": "cpe:2.3:a:ibm:db2:10.5:*:*:*:express:*:*:*", "vulnerable": true, "matchCriteriaId": "9AFEA656-426C-4F18-9737-8985531C7A93"}, {"criteria": "cpe:2.3:a:ibm:db2:10.5:*:*:*:workgroup:*:*:*", "vulnerable": true, "matchCriteriaId": "09B0333F-0E27-40B3-A0DC-618BEA97CBC2"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}