CVE-2021-38931: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) versions 11.1 and 11.5 was identified with an information disclosure vulnerability. The vulnerability was discovered and disclosed in December 2021, tracked as CVE-2021-38931. This security issue allows a connected user to have indirect read access to tables where they are not authorized to select from (IBM Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs low privileges, requires no user interaction, has unchanged scope, and can result in high confidentiality impact without affecting integrity or availability (NVD).

The successful exploitation of this vulnerability could lead to unauthorized disclosure of sensitive information from database tables. The impact is primarily focused on data confidentiality, where an attacker could potentially access information they are not authorized to view (IBM Advisory, NetApp Advisory).

IBM has released fixes for the affected versions. For version 11.5, the fix is available in version 11.5.7. For version 11.1, special builds based on V11.1.4 FP6 are available for various platforms. As a workaround, implementation of row and column access control (RCAC) can be used to resolve this vulnerability (IBM Advisory).