CVE-2023-29257: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) versions 10.5, 11.1, and 11.5 was identified with a critical security vulnerability tracked as CVE-2023-29257. The vulnerability was discovered and disclosed on April 26, 2023, allowing a database administrator of one database to execute code or read/write files from another database within the same instance (IBM Security, CVE Details).

The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited over the network (AV:N) with low attack complexity (AC:L), requires high privileges (PR:H), needs no user interaction (UI:N), has unchanged scope (S:U), and can result in high impact to confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD Database).

The successful exploitation of this vulnerability could lead to unauthorized code execution and file access across different databases within the same instance. This presents significant risks to data confidentiality, integrity, and system availability, particularly in environments where database isolation is crucial (IBM Security).

IBM has released special builds containing interim fixes for affected versions. These builds are available based on the most recent fixpack levels: V10.5 FP11, V11.1.4 FP7, V11.5.7, and V11.5.8. The fixes can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability. No workarounds have been identified (IBM Security).