I hunt for vulnerabilities in open and closed source software. Below is a list for some of my publicly acknowledged vulnerabilities.
CVE-2025-5467 - Ubuntu Apport Insecure File Permissions
Details can be found on my work blog at https://www.stratascale.com/vulnerability-alert-cve20255467
Vendor Advisory: https://ubuntu.com/security/CVE-2025-5467
CVE-2025-47161 - Microsoft Defender Elevation of Privilege Vulnerability
Details can be found on my work blog at http://stratascale.com/vulnerability-alert-cve202547161
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47161
CVE-2025-26684 - Microsoft Defender Elevation of Privilege Vulnerability
Details can be found on my work blog at https://www.stratascale.com/vulnerability-alert-cve20255467.
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26684
Media References:
CVE-2024-53552 CrushFTP - Host Header Injection
CrushFTP V10 versions below 10.8.3 and CrushFTP V11 versions below 11.2.3 are vulnerable to host header injection via password reset. If an end user clicks the link, their account will be compromised.
Vendor Advisory: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
CVE-2023-41904 ManageEngine ADManger Plus MFA Bypass
Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs.
Vendor Advisory: https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-41904.html
CVE-2021-43044 Kaseya Unitrends SNMP Weak Password
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The SNMP daemon was configured with a weak default community.
CVE-2021-43043 Kaseya Unitrends Privilege Escalation – Insecure Sudo Rule
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The apache user could read arbitrary files such as /etc/shadow by abusing an insecure Sudo rule.
CVE-2021-43042 Kaseya Unitrends Buffer Overflow - vaultServer
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. A buffer overflow existed in the vaultServer component. This was exploitable by a remote unauthenticated attacker.
CVE-2021-43041 Kaseya Unitrends Uncontrolled Format String – vaultServer
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. A crafted HTTP request could induce a format string vulnerability in the privileged vaultServer application.
CVE-2021-43040 Kaseya Unitrends Privilege Escalation – Arbitrary File Create – vaultServer
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The privileged vaultServer could be leveraged to create arbitrary writable files, leading to privilege escalation.
Work Blog: https://cyberonesecurity.com/offensive-security/exploiting-kaseya-unitrends-backup-appliance-part-1/
CVE-2021-43039 Kaseya Unitrends SMB Null Sessions Allowed with Read/Write
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The Samba file sharing service allowed anonymous read/write access.
Work Blog: https://cyberonesecurity.com/offensive-security/exploiting-kaseya-unitrends-backup-appliance-part-1/
CVE-2021-43038 Kaseya Unitrends - PostgreSQL Trigger Command Injection
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The wguest account could execute commands by injecting into PostgreSQL trigger functions. This allowed privilege escalation from the wguest user to the postgres user.
Work Blog: https://cyberonesecurity.com/offensive-security/exploiting-kaseya-unitrends-backup-appliance-part-1/
CVE-2021-43037 Kaseya Unitrends Windows Backup Agent DLL Injection
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The Unitrends Windows agent was vulnerable to DLL injection and binary planting due to insecure default permissions. This allowed privilege escalation from an unprivileged user to SYSTEM.
CVE-2021-43036 Kaseya Unitrends Weak PostgreSQL Account wguest
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The password for the PostgreSQL wguest account is weak.
Work Blog: https://cyberonesecurity.com/offensive-security/exploiting-kaseya-unitrends-backup-appliance-part-1/
CVE-2021-43035 Kaseya Unitrends Unauthenticated SQL Injection
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Two unauthenticated SQL injection vulnerabilities were discovered, allowing arbitrary SQL queries to be injected and executed under the postgres superuser account. Remote code execution was possible, leading to full access to the postgres user account.
Work Blog: https://cyberonesecurity.com/offensive-security/exploiting-kaseya-unitrends-backup-appliance-part-2/
CVE-2021-43034 Kaseya Unitrends Privilege Escalation
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. A world writable file allowed local users to execute arbitrary code as the user apache, leading to privilege escalation.
CVE-2021-43033 Kaseya Unitrends Unauthenticated Remote Code Execution – bpserverd
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Multiple functions in the Unitrends Backup Appliance bpserverd daemon were vulnerable to remote code execution, resulting in arbitrary code execution as root. The vulnerability was caused by untrusted input (received by the server) being passed to system calls.
CVE-2021-MULTIPLE Quest KACE Systems Management Appliance (SMA) Vulnerabilities
CVE-2021-PENDING K1-30592 - Default Password for FTP access
CVE-2021-PENDING K1-30593 - Default Password for MySQL access
CVE-2021-PENDING K1-30594 - Rate limit can be bypassed on API login attempts
CVE-2021-PENDING K1-30595 - Static symmetric encryption key is not unique per appliance
CVE-2021-PENDING K1-30596 - API is not constrained by console ACL restrictionsVendor Advisory: https://support.quest.com/kace-systems-management-appliance/kb/4293505/quest-response-to-criticalstart-vulnerability-report
CVE-2021-13860 Mofi Network MOFI4500-4GXeLTE -Predictable One Time Password
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. The one-time password algorithm for the undocumented system account mofidev generates a predictable six-digit password.
Media References:
CVE-2021-13859 Mofi Network MOFI4500-4GXeLTE - Authentication Bypass
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. A format error in /etc/shadow, coupled with a logic bug in the LuCI - OpenWrt Configuration Interface framework, allows the undocumented system account mofidev to login to the cgi-bin/luci/quick/wizard management interface without a password by abusing a forgotten-password feature.
Media References:
CVE-2021-13858 Mofi Network MOFI4500-4GXeLTE - Hard-Coded Administrator Accounts
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They contain two undocumented administrator accounts. The sftp and mofidev accounts are defined in /etc/passwd and the password is not unique across installations.
Media References:
CVE-2021-13857 Mofi Network MOFI4500-4GXeLTE - Unauthenticated Reboot
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They can be rebooted by sending an unauthenticated poof.cgi HTTP GET request.
Media References:
CVE-2021-13856 Mofi Network MOFI4500-4GXeLTE - Information Disclosure of Sensitive Data
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. Authentication is not required to download the support file that contains sensitive information such as cleartext credentials and password hashes.
Media References:
CVE-2021-15836 Mofi Network MOFI4500-4GXeLTE - Unauthenticated Command Injection
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The authentication function passes untrusted data to the operating system without proper sanitization. A crafted request can be sent to execute arbitrary commands as root.
Media References:
CVE-2021-15835 Mofi Network MOFI4500-4GXeLTE - Undocumented Backdoor - Authentication Bypass
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The authentication function contains undocumented code that provides the ability to authenticate as root without knowing the actual root password. An adversary with the private key can remotely authenticate to the management interface as root.
Media References:
CVE-2021-15834 Mofi Network MOFI4500-4GXeLTE - Information Disclosure – WiFi Network Password
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The wireless network password is exposed in a QR encoded picture that an unauthenticated adversary can download via the web-management interface.
Media References:
CVE-2021-15833 Mofi Network MOFI4500-4GXeLTE - Undocumented Backdoor – SSH Daemon
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The Dropbear SSH daemon has been modified to accept an alternate hard-coded path to a public key that allows root access. This key is stored in a /rom location that cannot be modified by the device owner.
Media References:
CVE-2021-15832 Mofi Network MOFI4500-4GXeLTE - Undocumented Backdoor – Remote Reboot
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The poof.cgi script contains undocumented code that provides the ability to remotely reboot the device. An adversary with the private key (but not the root password) can remotely reboot the device.
Media References:
CVE-2020-35659 Pi-hole Critical Stored XSS Vulnerability
Pi-hole v5.2.1 is vulnerable to a critical stored cross site scripting vulnerability. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator accesses the Query Log or Long-term Query Log pages on the web portal.
The Pi-hole project released a fix on 12/24/2020 in v5.2.2. Shodan reports over 7,500 Pi-hole instances. This could be remotely exploited if these instances permit external DNS queries. Other possibilities may exist if a malformed DNS query is allowed. Vendor Advisory: https://github.com/pi-hole/AdminLTE/pull/1665.
CVE-2020-2032 - GlobalProtect App: File race condition vulnerability leads to local privilege escalation during upgrade
A race condition vulnerability Palo Alto Networks GlobalProtect app on Windows allows a local limited Windows user to execute programs with SYSTEM privileges.
CVE-2020-395 7 - VMware Fusion Elevation of Privilege Vulnerability.
VMware Fusion, VMRC and Horizon Client contain a local privilege escalation vulnerability due to a Time-of-check Time-of-use (TOCTOU) issue in the service opener. PoC: CVE-2020-3957.sh Poc: CVE-2020-3957-TOCTOU.sh Blog Post: Local Privilege Escalation Discovered In VMware Fusion
CVE-2020-3950 - VMware Fusion Elevation of Privilege Vulnerability.
VMware Fusion, VMRC for Mac and Horizon Client for Mac contain a privilege escalation vulnerability due to improper use of setuid binaries. PoC CVE-2020-3950.sh
Media References
CVE-2020-0757 - Windows SSH Elevation of Privilege Vulnerability.
An elevation of privilege vulnerability exists when Windows improperly handles Secure Socket Shell remote commands. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.
CVE-2020-5180 - Viscosity macOS, Windows Limited Elevation of Privilege Vulnerability.
An attacker with local access could potentially run arbitrary code within Viscosity’s OpenVPN sandbox by using a maliciously crafted OpenSSL engine and associated command. Such an attack is successfully contained within Viscosity’s sandbox, which has de-elevated permissions and access restrictions, and so an attacker does not gain elevated local permissions (such as root or SYSTEM) on the machine and their actions are severely limited.
However, under macOS an attacker may be able to access on-disk VPN credentials (such as a certificate and private key) from other active OpenVPN connections that run within the sandbox at the same time. This does not apply to the Windows version. Because of this, we encourage those in multi-user macOS environments to update as soon as possible.
CVE-2019-19151 - K21711352: F5 BIG-IP , BIG-IQ ITMOS Shell vulnerability
Authenticated users granted TMOS Shell (tmsh) privileges can access objects on the file system, which would normally be disallowed by tmsh restrictions. This allows for authenticated, low privileged attackers to access objects on the file system, which would not normally be allowed
CVE-2019-4606 - IBM Db2 High Performance Unload is affected by 3RD PARTY - Unquoted Service Path vulnerability
IBM DB2 High Performance Unload could allow a local attacker to execute arbitrary code on the system, caused by an untrusted search path vulnerability. By using a executable file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2019-4587 - IBM® Db2® is vulnerable to privilege escalation
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a local authenticated attacker to gain elevated privileges on the system, caused by an unquoted search path in sshd_worker.exe. By inserting arbitrary file in the path, an attacker could exploit this vulnerability to execute arbitrary code with SYSTEM privileges
CVE-PENDING - VMWare Fusion Arbitrary File Overwrite
VMWare Fusion v11.5.0 and earlier is vulnerable to an arbitrary file overwrite. Certain operations open a file insecurely in a world writable location which can allow a local unprivileged user the ability cause an arbitrary file to be overwritten.
Vendor Advisory: VMware-Fusion-1151-Release-Notes.html
CVE-2019-3466 - CVE-2019-3466 Debian / Ubuntu Privilege Escalation via pg_ctlcluster
pg_ctlcluster script didn’t drop privileges when creating socket/statistics temporary directories, which could result in local privilege escalation
CVE-2019-4523 - IBM Db2 High Performance Unload is affected by 3RD PARTY - Buffer Overflow in –credential keystore vulnerability
IBM DB2 High Performance Unload is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges.
CVE-2019-2390 - mongoDB Elevation of Privilege Vulnerability
An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server versions less than 4.0.11, 3.6.14, and 3.4.22 to run attacker defined code as the user running the utility.
CVE-2019-1211 - Git for Visual Studio Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in Git for Visual Studio when it improperly parses configuration files. An attacker who successfully exploited the vulnerability could execute code in the context of another local user.
CVE-2019-4447 - Privilege escalation in IBM DB2 HPU via loading DB2 library
IBM DB2 High Performance Unload load shared libraries from an untrusted path potentially giving low privilege user full access to root by loading a malicious shared library.
CVE-2019-4448 - Privilege escalation in IBM DB2 HPU debug binary via trusted PATH
IBM DB2 High Performance Unload debug binary is a setuid root binary which trusts the PATH environment variable. A low privileged user can execute arbitrary commands as root by altering the PATH variable to point to a user controlled location.
CVE-2019-1552 - OpenSSL Windows builds with insecure path defaults
OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the –prefix / –openssldir configuration options.
However, mingw programs are Windows programs, and as such, find
themselves looking at sub-directories of ‘C:/usr/local’, which may be
world writable, which enables untrusted users to modify OpenSSL’s
default configuration, insert CA certificates, modify (or even
replace) existing engine modules, etc.
CVE-2019-4154 - IBM® Db2® is vulnerable to buffer overflow leading to potential arbitrary code execution as root.
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root.
CVE-2019-4057 - IBM® Db2® is vulnerable to privilege escalation to root via malicious use of fenced user.
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root.
CVE-2019-5443 - cURL libcurl for Windows OpenSSL engine code execution
A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl automatically run the code (as an openssl “engine”) on invocation. If that curl is invoked by a privileged user it can do anything it wants.
Blog Post: OPENSSL ENGINE CODE INJECTION IN CURL
HackerOne Report: 608577
stunnel Windows stunnel Elevation of Privilege Vulnerability via malicious OpenSSL Engine loading
A low privileged user can create a openssl.cnf configuration file to load a malicious OpenSSL engine library resulting in arbitrary code execution with the full authority of as the account running stunnel. If the Stunnel TLS wrapper service is used, this will be SYSTEM.
Vendor Advisory: stunnel 5.55 released
CVE-2019-12571 - PIA Beta macOS Arbitrary File Overwrite
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v0.9.8 beta (build 02099) for macOS could allow an authenticated, local attacker to overwrite arbitrary files.
CVE-2019-12572 - PIA Windows Elevation of Privilege: Malicious OpenSSL engine
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client 1.0.2 (build 02363) for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privileges.
CVE-2019-12573 - PIA Linux, macOS Arbitrary File Overwrite
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to overwrite arbitrary files.
CVE-2019-12574 - PIA Stable, Beta Windows Elevation of Privilege: DLL Injection
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v1.0 for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The PIA client is vulnerable to a DLL injection vulnerability during the software update process.
CVE-2019-12575 - PIA Linux Elevation of Privilege: Insecure Library Paths
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges.
CVE-2019-12576 - PIA macOS Elevation of Privilege: Insecure PATH
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges.
CVE-2019-12577 - PIA macOS Elevation of Privilege: Insecure umask
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges.
CVE-2019-12578 - PIA Linux Elevation of Privilege: Exposed Dangerous Parameter
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges.
CVE-2019-12579 - PIA Linux/macOS Elevation of Privilege: OS Command injection
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges.
CVE-2019-6617 - F5 BIG-IP Resource Administrator vulnerability
A user with the Resource Administrator role is able to overwrite sensitive low-level files, such as /etc/passwd, using SFTP to modify user permissions, without Advanced Shell access. This is contrary to our definition for the Resource Administrator role restrictions.
CVE-2019-4094 - IBM® Db2® is vulnerable to privilege escalation via loading libraries from an untrusted path
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) binaries load shared libraries from an untrusted path potentially giving low privilege user full access to root by loading a malicious shared library.
CVE-2019-6724 - Barracuda VPN Client Privilege Escalation on Linux and macOS
The barracudavpn component of the Barracuda VPN Client prior to version 5.0.2.7 for Linux, macOS, and OpenBSD runs as a privileged process and can allow an unprivileged local attacker to load a malicious library, resulting in arbitrary code executing as root.
CVE-2019-7249 - Local Privilege Escalation in MacOS via Keybase Helper
In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susceptible to time-to-check-time-to-use bugs and would also allow one user of the system (who didn’t have root access) to tamper with another’s installs. View the Hackerone report 471739
CVE-2018-18629 - Local Privilege Escalation on Linux via keybase-redirector
An issue was discovered in the Keybase command-line client 2.8.0.20181017144746.3efc4cbf3c for Linux. An untrusted search path vulnerability in the keybase-redirector application allows a local, unprivileged user on Linux to gain root privileges via a Trojan horse binary. View the Hackerone report 426944, write-up and PoC CVE-2018-18629.sh.
CVE-2018-15332 BIG-IP APM client for Linux and macOS vulnerability
The svpn component of the F5 BIG-IP APM client prior to version 7.1.7.2 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host in a race condition. A malicious, local, unprivileged user may gain knowledge of sensitive information, manipulate certain data, or assume super-user privileges on the local client host.
CVE-2018-1792 - IBM MQ can allow an attacker to execute a privilege escalation attack on a local machine.
A problem within IBM MQ libraries could allow an attacker who has access to a local machine to use IBM MQ to escalate their privileges on that system and gain access to the root user. Write-up: CVE-2018-1792 – IBM MQ Privilege Escalation: Fun with RUNPATH. PoC: CVE-2018-1792.sh
CVE-2018-1802 - IBM® Db2® is vulnerable to privilege escalation via loading libraries from an untrusted path
Db2 binaries load shared libraries from an untrusted path, potentially giving Db2 Instance Owner root access.
CVE-2018-18555- VyOS Multiple restricted shell escapes for operators
A sandbox escape issue was discovered in VyOS 1.1.8. It provides a restricted management shell for operator users to administer the device. By issuing various shell special characters with certain commands, an authenticated operator user can break out of the management shell and gain access to the underlying Linux shell. The user can then run arbitrary operating system commands with the privileges afforded by their account.
CVE-2018-18556 - VyOS Privilege escalation via sudo pppd
A privilege escalation issue was discovered in VyOS 1.1.8. The default configuration also allows operator users to execute the pppd binary with elevated (sudo) permissions. Certain input parameters are not properly validated. A malicious operator user can run the binary with elevated permissions and leverage its improper input validation condition to spawn an attacker-controlled shell with root privileges. View the write-up and PoC CVE-2018-18556.sh.
CVE-2018-1710 - Buffer overflow in IBM® Db2® tool db2licm
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) tool db2licm is affected by buffer overflow vulnerability that can potentially result in arbitrary code execution.
CVE-2018-5546 - BIG-IP APM client for Linux and macOS vulnerability
The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host.
CVE-2018-2939 - Oracle DBMS arbitrary file overwrite vulnerabilities
Vulnerability in the Core RDBMS component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1 and 18.2. Easily exploitable vulnerability allows low privileged attacker having Local Logon privilege with logon to the infrastructure where Core RDBMS executes to compromise Core RDBMS. While the vulnerability is in Core RDBMS, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Core RDBMS accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Core RDBMS.
CVE-2018-5529 - F5 BIG-IP APM client for Linux and Mac OS X vulnerability
The svpn component of the BIG-IP APM client for Linux and Mac OS X runs as a privileged process and can allow an unprivileged user to assume super-user privileges on the local client host.
CVE-2018-1458 - Multiple untrusted search path vulnerabilities in the IBM® Db2® DAS component on Windows
Multiple untrusted search path vulnerabilities in the Db2 Administration Server (DAS) component of Db2 on Windows could allow a local user to execute arbitrary code.
CVE-2018-1487 - Privilege escalation in IBM® Db2® via loading libraries from untrusted path
Db2 loads shared libraries from an untrusted path potentially giving low privilege user full access to the DB2 instance account by loading a malicious shared library. All instance owner executables that run with elevated privileges (setuid) are affected. Root setuid executables are not affected. The implication is that if the customer has implemented their own applications which run with elevated privileges (setuid) those are affected as well, and it is up to the customer to ensure that the DB2INSTANCE environment variable is correctly set to the Db2 instance owner, and not modified by a malicious user.
CVE-2018-1488 - Buffer overflow in IBM® Db2® tool db2licm
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root.
CVE-2018-1449, CVE-2018-1450, CVE-2018-1451, CVE-2018-1452 - IBM® Db2® is affected by multiple file overwrite vulnerabilities
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner.
CVE-2018-1448 - IBM® Db2® vulnerability allows local user to overwrite Db2 files
IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner.
CVE-2017-12337- Cisco Voice Operating System-Based Products Unauthorized Access Vulnerability
A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device.
CVE-2017-1452 - IBM® Db2® vulnerability allows local user to overwrite Db2 files
IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user to obtain elevated privilege and overwrite DB2 files.
CVE-2017-1438 - Privilege escalation vulnerabilities affect IBM® Db2®
IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access.
CVE-2017-1439, CVE-2017-1451 - Privilege escalation vulnerabilities affect IBM® Db2®
IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access.