Cyber Resilience

CVE-2022-43927

Medium

Published: 17 February 2023

Published
17 February 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0014 33.3th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-43927 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Ibm Db2. Its CVSS base score is 5.9 (Medium).

Operationally, ranked at the 33.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

IBM Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 is vulnerable to information Disclosure due to improper privilege management when a specially crafted table access is used. IBM X-Force ID: 241671.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ibm
db2
10.5, 11.1, 11.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200 CWE-269

Audit record review and analysis can detect unauthorized exposure or access to sensitive information.

addresses: CWE-269 CWE-200

Defines roles and responsibilities to ensure proper privilege management during configuration changes.

addresses: CWE-200 CWE-269

Hunting tracks data exfiltration or unauthorized disclosure of sensitive information as a key threat indicator.

addresses: CWE-269

Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.

addresses: CWE-269

Access supervision ensures privileges are assigned and managed without improper escalation or retention.

addresses: CWE-200

Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.

addresses: CWE-200

Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.

addresses: CWE-269

Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.

References