Impact
An authenticated user can trigger a denial of service by exploiting improper neutralization of special elements in the data query logic of XMLTable-derived columns within IBM Db2. The flaw occurs when the system processes XMLTable expressions containing special elements, which can cause the database to become unresponsive. The weakness is classified as CWE‑1284 (Improper Neutralization of Special Elements in Data Query Logic).
Affected Systems
IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 on Linux, UNIX and Windows, including Db2 Connect Server, are affected.
Risk and Exploitability
The CVSS score of 6.5 denotes moderate severity. EPSS information is unavailable, and the vulnerability is not listed in CISA KEV, indicating no publicly known exploitation. The likely attack vector requires an authenticated user with the ability to execute queries that reference XMLTable columns. If used maliciously, the attacker can cause service interruption but requires valid DB2 credentials.
OpenCVE Enrichment