CVE-2023-38716

Medium

Published: 25 January 2025

Published

25 January 2025

Modified

13 August 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0010 26.3th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

IBM Cloud Pak System 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, and 2.3.4.0 could disclose sensitive information about the system that could aid in further attacks against the system.

Security Summary

CVE-2023-38716 is an information disclosure vulnerability (CWE-209) in IBM Cloud Pak System versions 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, and 2.3.4.0. The issue enables the exposure of sensitive system information, with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity due to low confidentiality impact over the network.

An unauthenticated remote attacker can exploit this vulnerability with low attack complexity and no user interaction. Exploitation discloses sensitive system details that could assist in planning and executing further attacks against the affected system.

IBM's security advisory at https://www.ibm.com/support/pages/node/7148474 provides details on mitigation, including available patches for the listed versions.

Details

CWE(s): CWE-209

Affected Products

ibm

cloud pak system

2.3.3.6, 2.3.3.7, 2.3.4.0

References

https://www.ibm.com/support/pages/node/7148474
Vendor Advisory · psirt@us.ibm.com