CVE-2018-1566

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to execute arbitrary code due to a format string error. IBM X-Force ID: 143023.

Weakness

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Affected Software

Name	Vendor	Start Version	End Version
Db2	Ibm	9.7 (including)	9.7 (including)
Db2	Ibm	10.1 (including)	10.1 (including)
Db2	Ibm	10.5 (including)	10.5 (including)
Db2	Ibm	11.1 (including)	11.1 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/135.html
https://cwe.mitre.org/data/definitions/67.html

References

http://www.ibm.com/support/docview.wss?uid=swg22016182
http://www.securityfocus.com/bid/104740
http://www.securitytracker.com/id/1041229
https://exchange.xforce.ibmcloud.com/vulnerabilities/143023
http://www.ibm.com/support/docview.wss?uid=swg22016182
http://www.securityfocus.com/bid/104740
http://www.securitytracker.com/id/1041229
https://exchange.xforce.ibmcloud.com/vulnerabilities/143023

NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-1566
CWE	https://cwe.mitre.org/data/definitions/134.html

Use of Externally-Controlled Format String

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References