Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes DB2 Connect Server) stores potentially sensitive information in log files that could be read by a local user.
AnalysisAI
IBM Db2 on Linux, UNIX, and Windows - versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4, including DB2 Connect Server - writes potentially sensitive information into log files readable by local OS users, creating an insider-threat-class confidentiality exposure. The CVSS confidentiality impact is rated High (C:H), but the attack is strictly local (AV:L) and requires only a standard low-privilege OS account (PR:L), making this a post-access or insider-threat scenario rather than an internet-facing risk. No public exploit has been identified at time of analysis, EPSS sits at the 2nd percentile (0.01%), and CISA SSVC records no active exploitation - IBM has released a patch addressed in advisory https://www.ibm.com/support/pages/node/7273554.
Technical ContextAI
IBM Db2 is a widely deployed enterprise relational database management system spanning Linux, UNIX, and Windows. The root cause is CWE-532 (Insertion of Sensitive Information into Log File), a class of vulnerability where the application writes data - such as SQL query content, credentials, or internal configuration state - to diagnostic or operational log files without adequately filtering or redacting sensitive tokens. The affected CPE is cpe:2.3:a:ibm:db2:*:*:*:*:*:*:*:* covering the two named version streams. Because OS log directories on these platforms may be accessible to any authenticated local user depending on file permission configuration, the database's logging subsystem becomes an unintended data disclosure channel. DB2 Connect Server, which acts as a gateway for distributed database access, is explicitly included in the scope, potentially broadening the classes of sensitive transit data captured in logs.
RemediationAI
IBM has confirmed a patch is available; apply the fix described in the vendor advisory at https://www.ibm.com/support/pages/node/7273554 - the exact patched version number must be confirmed directly from that advisory, as NVD CPE data does not specify a fixed release version. While awaiting patching, restrict OS-level read permissions on the Db2 diagnostic log directory (typically defined by the DIAGPATH database manager configuration parameter) to the db2 service account and the DBA administrative group exclusively, preventing general local OS users from browsing log content - note this change may impair operations-team log access for troubleshooting. Additionally, lower the Db2 diagnostic logging verbosity level (DIAGLEVEL) to reduce the volume of potentially sensitive operational data captured in logs, though reducing DIAGLEVEL may degrade incident response fidelity. Audit existing log files for sensitive content and securely archive or purge logs written under the vulnerable versions before applying the patch.
Stack-based buffer overflow in the SQL/PSM (aka SQL Persistent Stored Module) Stored Procedure (SP) infrastructure in IB
IBM DB2 for Linux, UNIX and Windows 9.2, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) is vulnerable to a stack-bas
Stack-based buffer overflow in IBM DB2 9.7 through FP9a, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP4 on Linux
IBM DB2 9.5 uses world-writable permissions for nodes.reg, which has unspecified impact and attack vectors. Rated critic
Remote code execution in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 lets unauthenticated network attackers run arbitrary co
Stack-based buffer overflow in the Java Stored Procedure infrastructure in IBM DB2 9.1 before FP12, 9.5 through FP9, 9.7
Directory traversal vulnerability in the UTL_FILE module in IBM DB2 and DB2 Connect 10.1 before FP1 on Windows allows re
IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across fork() system
Integer signedness error in the db2dasrrm process in the DB2 Administration Server (DAS) in IBM DB2 9.1 through FP11, 9.
The Stored Procedure infrastructure in IBM DB2 9.5, 9.7 before FP9a, 10.1 before FP3a, and 10.5 before FP3a on Windows a
The scalar-function implementation in IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 o
IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 could allow a remote authenticated attacker
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209933
GHSA-vhw4-7vwf-ww45