CVE-2023-27558: 
IBM Db2 vulnerability analysis and mitigation

CVE-2023-27558 affects IBM Db2 on Windows versions 10.5, 11.1, and 11.5. The vulnerability is related to privilege escalation caused by at least one installed service using an unquoted service path. This security flaw was disclosed in July 2023 and affects specifically the Windows platform implementations of IBM Db2, while Linux/Unix platforms remain unaffected (IBM Advisory).

The vulnerability has received a CVSS v3.1 Base Score of 7.8 (HIGH) according to NIST, with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. IBM's assessment rates it slightly higher at 8.4 (HIGH) with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-269 (Improper Privilege Management) (NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability allows a local attacker to gain elevated privileges by inserting an executable file in the path of the affected service (NetApp Advisory).

IBM has released special builds containing interim fixes for affected versions. These builds are available based on the most recent fixpack level for each impacted release: V10.5 FP11, V11.1.4 FP7, and V11.5.8. The special builds can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability. No workarounds have been identified at this time (IBM Advisory).