CVE-2021-20373: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 versions 9.7, 10.1, 10.5, 11.1, and 11.5 were identified with a vulnerability (CVE-2021-20373) related to information disclosure when using the LOAD utility. The vulnerability was discovered in December 2021, where under certain circumstances, the LOAD utility fails to enforce directory restrictions (IBM Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction. IBM's own assessment rated it slightly lower at CVSS 5.9 (MEDIUM) with vector string CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD, IBM Advisory).

When successfully exploited, this vulnerability could lead to unauthorized information disclosure. The vulnerability specifically affects the LOAD utility functionality, where directory restrictions are not properly enforced, potentially exposing sensitive data (IBM Advisory, NetApp Advisory).

IBM has released special builds containing interim fixes for all affected versions. The fixes are available based on the most recent fixpack level for each impacted release: V9.7 FP11, V10.1 FP6, V10.5 FP11, V11.1.4 FP6, and V11.5.6. Additionally, the registry variable DB2LOADRESTRICTEDIOPATH needs to be set to USEEXTBLLOCATION (v11.1.4.x and later) or one or more semi-colon separated paths (IBM Advisory).