IBM Db2 Mirror for i 7.4, 7.5, and 7.6 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system.
Fixes

Solution

The issues can be fixed by applying a PTF to IBM i. IBM Db2 Mirror for i releases 7.6, 7.5, and 7.4 will be fixed. The PTF numbers for 5770-DBM containing the fix for the vulnerabilities are in the following table. IBM i Release 5770-DBM PTF Numbers PTF Download Link 7.4 SJ05739   https://www.ibm.com/mysupport/s/fix-information?legacy=SJ05739 7.5 SJ05742   https://www.ibm.com/mysupport/s/fix-information?legacy=SJ05742 7.6 SJ05744   https://www.ibm.com/mysupport/s/fix-information?legacy=SJ05744 https://www.ibm.com/support/fixcentral


Workaround

No workaround given by the vendor.

History

Wed, 23 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 23 Jul 2025 14:45:00 +0000

Type Values Removed Values Added
Description IBM Db2 Mirror for i 7.4, 7.5, and 7.6 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system.
Title IBM Db2 Mirror for i session fixation
First Time appeared Ibm
Ibm db2 Mirror For I
Weaknesses CWE-384
CPEs cpe:2.3:a:ibm:db2_mirror_for_i:7.4:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2_mirror_for_i:7.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2_mirror_for_i:7.6:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm db2 Mirror For I
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2025-08-18T01:30:05.928Z

Reserved: 2025-04-15T21:16:17.124Z

Link: CVE-2025-36117

cve-icon Vulnrichment

Updated: 2025-07-23T14:57:59.664Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-23T15:15:31.867

Modified: 2025-08-07T14:36:42.153

Link: CVE-2025-36117

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.