CVE-2025-13755
IBM Db2 Information Disclosure in Log Files
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | db2 | From 11.5.0 (inc) to 11.5.9 (inc) |
| ibm | db2 | From 12.1.0 (inc) to 12.1.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves the storage of potentially sensitive information in log files that could be accessed by a local user. This exposure of sensitive data may impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information from unauthorized access.
Organizations using affected IBM Db2 versions should apply the provided fixes or mitigations to reduce the risk of credential exposure and help maintain compliance with these standards.
Can you explain this vulnerability to me?
IBM Db2 for Linux, UNIX, and Windows (including DB2 Connect Server) has a vulnerability where sensitive information, such as credentials, may be stored in the db2diag log files when specific testcase buckets are executed.
This means that a local user with access to these log files could potentially read sensitive data that should not be exposed.
The affected versions include Db2 11.5.0 through 11.5.9 and Db2 12.1.0 through 12.1.4.
How can this vulnerability impact me? :
This vulnerability can lead to credential exposure, allowing a local user to access sensitive information stored in log files.
Such exposure could compromise the security of the database environment by enabling unauthorized access or further attacks using the leaked credentials.
The CVSS base score of 5.5 indicates a moderate severity, meaning the impact is significant but requires local access and low privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves sensitive information being stored in the db2diag log file when specific testcase buckets are executed. Detection involves checking these log files for the presence of sensitive data exposure.
You can inspect the db2diag log files on the affected Db2 servers to detect if sensitive information is being logged. For example, on Linux or UNIX systems, you might use commands like:
- grep -i 'password' /path/to/db2diag.log
- grep -i 'credential' /path/to/db2diag.log
- grep -i 'testcase' /path/to/db2diag.log
These commands help identify if sensitive information related to credentials is being logged. Adjust the log file path as per your Db2 installation.
What immediate steps should I take to mitigate this vulnerability?
IBM recommends applying the interim fixes available through Fix Central for Db2 versions 11.5.9 and 12.1.4 to address this vulnerability.
As an immediate workaround, you can reduce the risk of credential exposure by setting the diaglevel parameter to 2, 1, or 0, which lowers the verbosity of logging and limits sensitive information being recorded.
Ensure that only authorized local users have access to the db2diag log files to prevent unauthorized reading of sensitive information.