CVE-2023-38713

Medium

Published: 25 January 2025

Published

25 January 2025

Modified

13 August 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0010 26.3th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could disclose sensitive information about the system that could aid in further attacks against the system.

Security Summary

CVE-2023-38713 is an information disclosure vulnerability (CWE-209) affecting specific versions of IBM Cloud Pak System, including 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1. The issue enables the exposure of sensitive system information, which could assist attackers in planning subsequent exploits against the system. It has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact and no impact on integrity or availability.

Network-accessible attackers require no privileges, user interaction, or special conditions to exploit this vulnerability due to its low attack complexity. Successful exploitation yields limited sensitive system details, providing reconnaissance value that could facilitate more targeted attacks but does not directly compromise the system's integrity, availability, or high-value confidentiality.

IBM's security advisory, available at https://www.ibm.com/support/pages/node/7159533, provides details on the vulnerability and recommended mitigations for affected systems.

Details

CWE(s): CWE-209

Affected Products

ibm

cloud pak system

2.3.0.0, 2.3.3.0, 2.3.3.3, 2.3.3.4, 2.3.3.5

References

https://www.ibm.com/support/pages/node/7159533
Vendor Advisory · psirt@us.ibm.com