CVE-2025-36131

Summary

IBM Db2 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) clpplus command exposes user credentials to the terminal which could be obtained by a third party with physical access to the system.

Affected Software

VendorProductVersion RangeStatus
IBMDb211.1.0 <= 11.1.4.7affected
IBMDb211.5.0 <= 11.5.9affected
IBMDb212.1.0 <= 12.1.3affected

Weaknesses

  • CWE-359: CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

Workarounds

Workarounds and Mitigations USE CLPPLUS tool using "clpplus" option.(without using "-nw") Note: only "clpplus -nw" is having this issue. if you start clpplus that uses just "clpplus" command then new terminal will be opened and you can continue working as usual. Problem happens when only "-nw" option is used with clpplus command For example "clpplus -nw" (no windows) option.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References