CVE-2023-29256: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) versions 10.5, 11.1, and 11.5 is affected by an information disclosure vulnerability (CVE-2023-29256) due to improper privilege management when certain federation features are used. The vulnerability was disclosed in July 2023 (IBM Security).

The vulnerability has received a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity and requiring low privileges. IBM's assessment differs slightly with a CVSS score of 5.3 (MEDIUM) and vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, suggesting higher attack complexity (NVD).

When successfully exploited, this vulnerability could lead to the disclosure of sensitive information through improper privilege management when specific federation features are used (IBM Security, NetApp Advisory).

IBM has released special builds containing interim fixes for affected versions: V10.5 FP11, V11.1.4 FP7, V11.5.7, and V11.5.8. After applying the fixpack, customers using federation need to run db2updv on all impacted releases. The fixes are available through Fix Central for all affected platforms (IBM Security).