IBM741F72151C9E1D79C45CD0B44C8BA02F55C6FAA48E243B3851C8DBA8ADD3BF01Security Bulletin: IBM Informix JDBC Driver is susceptible to remote code execution
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
69.0%
Summary
In informix-jdbc-complete, there is a method, com.informix.jdbcx.IfxConnectionPoolManager.<constructor>, designed to create a connection pool manager. Passing an unchecked argument to this API can lead to the execution of arbitrary commands.
Vulnerability Details
CVEID:CVE-2023-35895
**DESCRIPTION:**IBM Informix JDBC Driver is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259116 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Informix JDBC | 4.10.x |
| Informix JDBC | 4.50.x |
Remediation/Fixes
IBM Informix JDBC 4.50.J10W1 is available through IBM Fix Central.
IBM Informix JDBC.4.10.JC16W1.ALL is available through IBM Fix Central.
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | informix_jdbc | 4.5 | cpe:2.3:a:ibm:informix_jdbc:4.5:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
69.0%