CVE-2023-38272
Published: 27 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2023-38272 is a vulnerability in IBM Cloud Pak System versions 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, 2.3.4.0, and 2.3.4.1 that could allow a user with access to the network to obtain sensitive information from CLI arguments. Published on 2025-03-27, it is rated 5.9 on the CVSS 3.1 scale (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-300 (Channel Accessible by Non-Endpoint).
An unauthenticated attacker with network access can exploit this vulnerability, though it requires high attack complexity and no user interaction. Successful exploitation enables the disclosure of sensitive information with high confidentiality impact, without affecting integrity or availability, and with unchanged scope.
IBM has published an advisory with mitigation details at https://www.ibm.com/support/pages/node/7229212.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The network-accessible info disclosure vuln in IBM Cloud Pak System enables exploitation of public-facing apps (T1190) and facilitates collection of sensitive data from local CLI arguments (T1005).