CVE-2017-1297

HIGH

IBM DB2 for Linux, UNIX and Windows 9.2, 10.1, 10.5, 11.1 - Stack-based Buffer Overflow

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-1297. PoCs published by defensecode.

AI-analyzed exploit summary This Python script generates a malicious SQL file containing a CALL statement with an overly long procedure name to trigger a stack-based buffer overflow in IBM DB2's Command Line Processor (CVE-2017-1297). The PoC demonstrates the vulnerability by creating a crash.sql file that can be executed via the db2 command-line utility.

Description

IBM DB2 for Linux, UNIX and Windows 9.2, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code. IBM X-Force ID: 125159.

Exploits (1)

exploitdb WORKING POC

by defensecode · pythondosmultiple

https://www.exploit-db.com/exploits/42260

View Code ZIP pw:eip

This Python script generates a malicious SQL file containing a CALL statement with an overly long procedure name to trigger a stack-based buffer overflow in IBM DB2's Command Line Processor (CVE-2017-1297). The PoC demonstrates the vulnerability by creating a crash.sql file that can be executed via the db2 command-line utility.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: IBM DB2 V9.7, V10.1, V10.5, and V11.1

No auth needed

Prerequisites: Access to the IBM DB2 Command Line Processor · Ability to execute the db2 command with a crafted SQL file

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/99271

Vendor Advisory x_refsource_misc

https://exchange.xforce.ibmcloud.com/vulnerabilities/125159

Patch, Vendor Advisory x_refsource_confirm

http://www.ibm.com/support/docview.wss?uid=swg22004878

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1038772

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42260/

Scores

CVSS v3 7.3

EPSS 0.0149

EPSS Percentile 70.7%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-119

Status published

Products (16)

ibm/data_server_client

ibm/data_server_driver_for_odbc_and_cli

ibm/data_server_driver_package

ibm/data_server_runtime_client

ibm/db2 9.7 (5 CPE variants)

ibm/db2 10.1 (5 CPE variants)

ibm/db2 10.5 (5 CPE variants)

ibm/db2 11.1 (5 CPE variants)

IBM/DB2 for Linux, UNIX and Windows 10.1

IBM/DB2 for Linux, UNIX and Windows 10.5

... and 6 more

Published Jun 27, 2017

Tracked Since Feb 18, 2026