CVE-2012-0709: Input Validation
First published: Tue Mar 20 2012(Updated: )
IBM DB2 9.5 before FP9, 9.7 through FP5, and 9.8 through FP4 does not properly check variables, which allows remote authenticated users to bypass intended restrictions on viewing table data by leveraging the CREATEIN privilege to execute crafted SQL CREATE VARIABLE statements.
Credit: psirt@us.ibm.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Db2 | =9.5 | |
| IBM Db2 | =9.5-fp1 | |
| IBM Db2 | =9.5-fp2 | |
| IBM Db2 | =9.5-fp2a | |
| IBM Db2 | =9.5-fp3 | |
| IBM Db2 | =9.5-fp3a | |
| IBM Db2 | =9.5-fp3b | |
| IBM Db2 | =9.5-fp4 | |
| IBM Db2 | =9.5-fp4a | |
| IBM Db2 | =9.5-fp5 | |
| IBM Db2 | =9.5-fp6 | |
| IBM Db2 | =9.5-fp6a | |
| IBM Db2 | =9.5-fp7 | |
| IBM Db2 | =9.5-fp8 | |
| IBM Db2 | =9.7 | |
| IBM Db2 | =9.7-fp1 | |
| IBM Db2 | =9.7-fp2 | |
| IBM Db2 | =9.7-fp3 | |
| IBM Db2 | =9.7-fp3a | |
| IBM Db2 | =9.7-fp4 | |
| IBM Db2 | =9.7-fp5 | |
| IBM Db2 | =9.8 | |
| IBM Db2 | =9.8-fp3 | |
| IBM Db2 | =9.8-fp4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www-01.ibm.com/support/docview.wss?uid=swg1IC81387
- http://www-01.ibm.com/support/docview.wss?uid=swg1IC81390
- http://www-01.ibm.com/support/docview.wss?uid=swg1IC81836
- http://www-01.ibm.com/support/docview.wss?uid=swg21588100
- https://exchange.xforce.ibmcloud.com/vulnerabilities/73493
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15004
Frequently Asked Questions
What is the severity of CVE-2012-0709?
CVE-2012-0709 is considered a high severity vulnerability due to its potential for data visibility bypass by authenticated users.
How do I fix CVE-2012-0709?
To fix CVE-2012-0709, upgrade the IBM DB2 software to the latest version or apply all necessary fixes and patches provided by IBM.
Who is affected by CVE-2012-0709?
CVE-2012-0709 affects IBM DB2 versions 9.5 prior to FP9, 9.7 through FP5, and 9.8 through FP4.
Can CVE-2012-0709 be exploited remotely?
Yes, CVE-2012-0709 can be exploited by remote authenticated users via manipulated SQL statements.
What type of vulnerability is CVE-2012-0709?
CVE-2012-0709 is a type of SQL Injection vulnerability allowing unauthorized access to sensitive data.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/author
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ibm
- canonical/ibm db2
- version/ibm db2/9.5
- version/ibm db2/9.5-fp1
- version/ibm db2/9.5-fp2
- version/ibm db2/9.5-fp2a
- version/ibm db2/9.5-fp3
- version/ibm db2/9.5-fp3a
- version/ibm db2/9.5-fp3b
- version/ibm db2/9.5-fp4
- version/ibm db2/9.5-fp4a
- version/ibm db2/9.5-fp5
- version/ibm db2/9.5-fp6
- version/ibm db2/9.5-fp6a
- version/ibm db2/9.5-fp7
- version/ibm db2/9.5-fp8
- version/ibm db2/9.7
- version/ibm db2/9.7-fp1
- version/ibm db2/9.7-fp2
- version/ibm db2/9.7-fp3
- version/ibm db2/9.7-fp3a
- version/ibm db2/9.7-fp4
- version/ibm db2/9.7-fp5
- version/ibm db2/9.8
- version/ibm db2/9.8-fp3
- version/ibm db2/9.8-fp4