| CVE ID | CVE-2008-2154 |
| CVSS SCORE | 9.0, AV:N/AC:L/Au:S/C:C/I:C/A:C |
| AFFECTED VENDORS |
IBM |
| AFFECTED PRODUCTS |
DB2 Universal Database |
| TREND MICRO CUSTOMER PROTECTION | Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID ['10114']. For further product information on the TippingPoint IPS: http://www.tippingpoint.com |
| VULNERABILITY DETAILS |
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM DB2. Authentication is required in that a user must have the ability to connect to the database. The specific flaw exists within the install_jar procedure. The install_jar procedure contains a directory traversal vulnerability that will allow the attacker to upload a Jar file to a directory outside of the intended "\function\jar\Name_of_logged_user\" directory. A remote attacker can abuse this to execute arbitrary code under the context of the current user. |
| ADDITIONAL DETAILS |
IZ21983: http://www-01.ibm.com/support/docview.wss?uid=swg1IZ21983 |
| DISCLOSURE TIMELINE |
|
| CREDIT | Anonymous |
