CVE-2023-47746: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) versions 10.5, 11.1, and 11.5 contain a vulnerability that could allow an authenticated user with CONNECT privileges to cause a denial of service using a specially crafted query. The vulnerability was assigned CVE-2023-47746 and was disclosed in January 2024 (IBM Security).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H by NIST NVD, while IBM Corporation rated it with a Base Score of 5.3 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is associated with CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-20 (Improper Input Validation) (NVD Database).

When successfully exploited, this vulnerability could lead to a denial of service condition in the affected IBM Db2 database systems. The attack requires network access and low privileges (CONNECT privileges) to execute (NetApp Advisory).

IBM has released special builds containing interim fixes for this vulnerability. These are available for V10.5 FP11, V11.1.4 FP7, and V11.5.9, which can be applied to any affected fixpack level of the appropriate release. The fixes are available through IBM Fix Central and are tracked under APAR DT246499 (IBM Security).