CVE-2019-4447 HIGH

CVE-2019-4447

Vendor Ibm
Product DB2 High Performance Unload load for LUW
Published August 26, 2019
Last update September 16, 2024

CVSS base score

8.4/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/I:H/AC:L/A:H/PR:N/UI:N/S:U/AV:L/C:H/E:U/RC:C/RL:O

What the vulnerability does

01Description

IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1, 6.1.0.2, 6.1.0.2 IF1, and 6.1.0.1 IF2 db2hpum_debug is a setuid root binary which trusts the PATH environment variable. A low privileged user can execute arbitrary commands as root by altering the PATH variable to point to a user controlled location. When a crash is induced the trojan gdb command is executed. IBM X-Force ID: 163488.

Key dates

02Disclosure timeline

August 26, 2019 CVE published
September 16, 2024 Record updated