CVE-2025-36372 - Vulnerability Details

- IBM® Db2® could disclose sensitive information to an authenticated user from the monitoring and event tables

Description

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information to an authenticated user from the monitoring and event tables.

Published: 2026-06-30

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Clients of IBM Db2 installed with versions 11.5.0 through 11.5.9 or 12.1.0 through 12.1.4 can unintentionally expose sensitive information to any authenticated user that has permission to query the internal monitoring or event tables. The flaw provides read access to data that is not intended for the user, potentially revealing application or system secrets such as user roles, execution details, or customer data. This vulnerability falls under CWE‑538, which describes the improper restriction of information disclosure from internal data structures.

Affected Systems

The affected products are IBM Db2 for Linux, UNIX, and Windows, including Db2 Connect Server, across release lines 11.5 and 12.1. Versions 11.5.0‑11.5.9 and 12.1.0‑12.1.4 contain the flaw. Monitoring and event tables are the specific data structures that can be read by compromised users.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. EPSS information is not available, and the vulnerability is not listed in CISA KEV, suggesting no current known exploits. The ifuser must be authenticated to the database instance; an attacker would need valid credentials or compromise an account that has access to the monitoring/event tables. The flaw does not require network access or elevated privileges beyond those granted to the user querying the tables.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

Db2

affected

Version	Status	Constraints
`11.5.0`	affected	≤ 11.5.9
`12.1.0`	affected	≤ 12.1.4

No data.

No data available yet.

Remediation

Vendor Solution

Customers running any vulnerable affected level of an affected Program, V11.5, and V12.1, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent level for each impacted release: V11.5.9, and V12.1.4. They can be applied to any affected level of the appropriate release to remediate this vulnerability. ReleaseFixed in mod packAPARDownload URLV11.5TBD https://www.ibm.com/support/pages/node/7087189 V12.1 TBD https://www.ibm.com/support/pages/node/7267513 IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

Vendor Workaround

Use DB2REMOTE alias. (DB2REMOTE is supported with LBAR only on 12.1 releases)

OpenCVE Recommended Actions

Apply the interim fix from IBM Fix Central for the appropriate release (V11.5.9 for release 11.5 or V12.1.4 for release 12.1).
If the patch cannot be applied immediately, configure a DB2REMOTE alias which limits remote users to only those needed functions and may reduce visibility to monitoring tables on 12.1 releases.
Restrict database privileges so that only designated monitoring users have SELECT rights on the monitoring and event tables; remove unnecessary access for other roles.

Generated by OpenCVE AI on June 30, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.ibm.com/support/pages/node/7277417

History

Tue, 30 Jun 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information to an authenticated user from the monitoring and event tables.
Title		IBM® Db2® could disclose sensitive information to an authenticated user from the monitoring and event tables
First Time appeared		Ibm Ibm db2
Weaknesses		CWE-538
CPEs		cpe:2.3:a:ibm:db2:11.5.0:::::::* cpe:2.3:a:ibm:db2:11.5.9:::::::* cpe:2.3:a:ibm:db2:12.1.0:::::::* cpe:2.3:a:ibm:db2:12.1.4:::::::*
Vendors & Products		Ibm Ibm db2
References		https://www.ibm.com/support/pages/node/7277417
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Ibm Db2

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-06-30T20:03:00.050Z

Updated: 2026-06-30T20:03:00.050Z

Reserved: 2025-04-15T21:16:56.325Z

Link: CVE-2025-36372

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-30T21:30:17Z

Weaknesses

CWE-538
Insertion of Sensitive Information into Externally-Accessible File or Directory

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object