CVE-2023-38013

Medium

Published: 25 January 2025

Published

25 January 2025

Modified

13 August 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0010 26.3th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could disclose sensitive information in HTTP responses that could aid in further attacks against the system.

Security Summary

CVE-2023-38013 affects IBM Cloud Pak System versions 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1. The vulnerability involves the disclosure of sensitive information in HTTP responses, classified under CWE-201 (Exposure of Sensitive Information to an Unauthorized Actor), with additional NVD-CWE-noinfo notation. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity primarily due to confidentiality impact.

Attackers with network access can exploit this vulnerability without authentication, privileges, or user interaction, requiring only low attack complexity. Exploitation discloses sensitive information in HTTP responses, enabling low-impact confidentiality breaches that could facilitate further attacks against the system.

IBM's security advisory at https://www.ibm.com/support/pages/node/7159533 details the issue and provides guidance on mitigations or patches for the affected versions.

Details

CWE(s): CWE-201NVD-CWE-noinfo

Affected Products

ibm

cloud pak system

2.3.3.0, 2.3.3.3, 2.3.3.4, 2.3.3.5, 2.3.3.6

References

https://www.ibm.com/support/pages/node/7159533
Vendor Advisory · psirt@us.ibm.com