CVE-2023-33854 - Vulnerability Details

- Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data.

Description

IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, and 5.3 could allow an authenticated user to bypass client-side validation and manipulate input data using man in the middle techniques.

Published: 2026-06-22

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability permits an authenticated user to bypass client‑side validation and manipulate input data through man‑in‑the‑middle techniques. This weakness, classified as CWE‑294, can lead to tampering of database commands or data, compromising integrity and potentially confidentiality of the database content.

Affected Systems

IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data in the 4.8, 5.0, 5.1, 5.2, and 5.3 releases are affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. It is likely that exploitation requires a network‑based attack where the adversary authenticates with valid credentials and positions a man‑in‑the‑middle to alter input streams. If these conditions are met, an attacker could change query parameters or inject malicious data into the system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data

affected

Version	Status	Constraints
`4.8.0`	affected	≤ 1.8.4
`5.0.0`	affected	≤ 5.3.0

No data.

Vendor Product Confidence Versions

Ibm

Db2 On Cloud Pak For Data

90%

Version	Status	Scheme	Platform
`[4.8.0,1.8.4]`	affected	semver	—
`[5.0.0,5.3.0]`	affected	semver	—

Ibm

Db2 Warehouse On Cloud Pak For Data

90%

Version	Status	Scheme	Platform
`[4.8.0,1.8.4]`	affected	semver	—
`[5.0.0,5.3.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerabilities now by upgrading to the latest IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data release containing the fix for these issues i.e to version 5.4. Please note: If the affected release is any refresh level of Cloud Pak for Data 4.8, 5.0, 5.1, 5.2, 5.2.2, 5.3.0 it is strongly recommended to upgrade to Cloud Pak for Data 5.4. ProductFixed in Fix Pack Instructions IBM® Db2® on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data v5.4 Db2 Warehouse: https://www.ibm.com/docs/en/software-hub/5.3.x?topic=warehouse-upgrading Db2: https://www.ibm.com/docs/en/software-hub/5.3.x?topic=db2-upgrading

OpenCVE Recommended Actions

Upgrade to IBM Db2 on Cloud Pak for Data and Db2 Warehouse release 5.4, which contains the required fix.
Follow IBM’s documented upgrade instructions to migrate current databases and configurations safely to the new release.
Verify that input streams are properly validated after the upgrade and monitor for additional advisories or patches.

Generated by OpenCVE AI on June 22, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.ibm.com/support/pages/node/7277112

History

Mon, 22 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, and 5.3 could allow an authenticated user to bypass client-side validation and manipulate input data using man in the middle techniques.
Title		Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data.
First Time appeared		Ibm Ibm db2 On Cloud Pak For Data Ibm db2 Warehouse On Cloud Pak For Data
Weaknesses		CWE-294
CPEs		cpe:2.3:a:ibm:db2_on_cloud_pak_for_data:4.8:::::::* cpe:2.3:a:ibm:db2_on_cloud_pak_for_data:5.0:::::::* cpe:2.3:a:ibm:db2_on_cloud_pak_for_data:5.1:::::::* cpe:2.3:a:ibm:db2_on_cloud_pak_for_data:5.2:::::::* cpe:2.3:a:ibm:db2_on_cloud_pak_for_data:5.3:::::::* cpe:2.3:a:ibm:db2_warehouse_on_cloud_pak_for_data:4.8:::::::* cpe:2.3:a:ibm:db2_warehouse_on_cloud_pak_for_data:5.0:::::::* cpe:2.3:a:ibm:db2_warehouse_on_cloud_pak_for_data:5.1:::::::* cpe:2.3:a:ibm:db2_warehouse_on_cloud_pak_for_data:5.2:::::::* cpe:2.3:a:ibm:db2_warehouse_on_cloud_pak_for_data:5.3:::::::*
Vendors & Products		Ibm Ibm db2 On Cloud Pak For Data Ibm db2 Warehouse On Cloud Pak For Data
References		https://www.ibm.com/support/pages/node/7277112
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Ibm Db2 On Cloud Pak For Data Db2 Warehouse On Cloud Pak For Data

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-06-22T14:31:21.168Z

Updated: 2026-06-22T14:31:21.168Z

Reserved: 2023-05-23T00:32:05.085Z

Link: CVE-2023-33854

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T17:45:05Z

Weaknesses

CWE-294
Authentication Bypass by Capture-replay

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object