Skip to main content

IBM Db2 CVE-2025-36372

| EUVDEUVD-2025-210373 MEDIUM
Insertion of Sensitive Information into Externally-Accessible File (CWE-538)
2026-06-30 psirt@us.ibm.com GHSA-849g-4qqp-r4r8
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (us) PRIMARY
MEDIUM
qualitative
NVD
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.5 MEDIUM

Local access with low-privilege Db2 authentication required; impact is purely confidential data exposure with no integrity or availability effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (us).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Jul 02, 2026 - 19:22 NVD
5.5 (MEDIUM) 6.5 (MEDIUM)
Analysis Generated
Jun 30, 2026 - 20:31 vuln.today
CVE Published
Jun 30, 2026 - 20:17 nvd
MEDIUM 5.5

DescriptionNVD

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information to an authenticated user from the monitoring and event tables.

AnalysisAI

IBM Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.4 expose sensitive information through internal monitoring and event tables to authenticated low-privilege local users, a consequence of CWE-538 where sensitive data is inserted into storage locations accessible beyond the intended trust boundary. The CVSS vector confirms local-only attack surface (AV:L) with low-privilege authentication (PR:L) and high confidentiality impact, making this most relevant to insider threat scenarios or post-compromise lateral movement in multi-tenant Db2 environments. No public exploit code exists and the vulnerability is not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis.

Technical ContextAI

IBM Db2 is an enterprise-grade relational database management system (RDBMS) deployed broadly on Linux, UNIX, and Windows, including Db2 Connect Server configurations that broker connectivity between clients and mainframe or distributed databases. The affected component is Db2's internal monitoring and event infrastructure - specifically the monitoring (MON_) and event tables used for diagnostics, performance tracking, and database telemetry. CWE-538 (Insertion of Sensitive Information into Externally-Accessible File or Directory) identifies the root cause class: sensitive artifacts - potentially including SQL query text, connection parameters, authentication tokens, or configuration details - are written into these tables without adequate access controls, making them visible to authenticated users beyond the intended administrative trust boundary. The scope is limited to the vulnerable system (S:U), with no lateral propagation to adjacent systems implied by the CVSS vector.

RemediationAI

Consult the IBM support advisory at https://www.ibm.com/support/pages/node/7277417 for the official patch; an exact fixed version number was not included in the available intelligence and should be confirmed directly from IBM. Patch available per vendor advisory. As a compensating control pending patch application, use Db2 GRANT/REVOKE DDL to restrict SELECT access on monitoring and event tables (MON_ table functions and event monitor tables) to only DBADM or SYSADM roles, preventing low-privilege users from querying them. Review existing access using SYSCAT.TABAUTH to identify over-permissioned grantees. Note that restricting monitoring table access may break third-party monitoring tools or DBA scripts that depend on querying those tables under a service account - audit tool dependencies before applying access controls.

More in Db2

View all
CVE-2026-10109 CRITICAL
9.8 Jun 30

Remote code execution in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 lets unauthenticated network attackers run arbitrary co

CVE-2025-36384 HIGH
8.4 Jan 30

Db2 contains a vulnerability that allows attackers to a local user with filesystem access to escalate their privileges d

CVE-2025-36184 HIGH
7.2 Jan 30

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 could allow an instance owner to execu

CVE-2025-36247 HIGH
7.1 Feb 17

Db2 versions up to 12.1.3 is affected by improper restriction of xml external entity reference (CVSS 7.1).

CVE-2025-36365 MEDIUM
6.8 Jan 30

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 under specific con

CVE-2026-11906 MEDIUM
6.5 Jun 30

Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 allows an authenticated low-privileged user to crash or han

CVE-2025-14689 MEDIUM
6.5 Feb 17

Db2 contains a vulnerability that allows attackers to an authenticated user to cause a denial of service due to improper

CVE-2025-13867 MEDIUM
6.5 Feb 17

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 could

CVE-2025-36427 MEDIUM
6.5 Jan 30

Db2 contains a vulnerability that allows attackers to cause a denial of service due to insufficient validation of specia

CVE-2025-36424 MEDIUM
6.5 Jan 30

Db2 contains a vulnerability that allows attackers to cause a denial of service due to improper neutralization of specia

CVE-2025-36442 MEDIUM
6.5 Jan 30

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a

CVE-2025-36366 MEDIUM
6.5 Jan 30

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a user to cause a denial of service by exe

Share

CVE-2025-36372 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy