CVE-2023-38013

Medium

Published: 25 January 2025

Published

25 January 2025

Modified

13 August 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0010 26.3th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38013 is a medium-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Ibm Cloud Pak System. Its CVSS base score is 5.3 (Medium).

Operationally, ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the flaw causing sensitive information disclosure in HTTP responses through identification, reporting, and correction of vulnerabilities in affected IBM Cloud Pak System versions.

SI-15 Information Output Filtering good match

prevent

Filters sensitive information content from HTTP responses before sharing with non-privileged or unauthorized network actors.

AC-22 Publicly Accessible Content good match

prevent

Restricts and controls sensitive information posted or accessible via the system's publicly facing HTTP interfaces.

NVD Description

IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could disclose sensitive information in HTTP responses that could aid in further attacks against the system.

Deeper analysisAI

CVE-2023-38013 affects IBM Cloud Pak System versions 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1. The vulnerability involves the disclosure of sensitive information in HTTP responses, classified under CWE-201 (Exposure of Sensitive Information to an Unauthorized Actor), with additional NVD-CWE-noinfo notation. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity primarily due to confidentiality impact.

Attackers with network access can exploit this vulnerability without authentication, privileges, or user interaction, requiring only low attack complexity. Exploitation discloses sensitive information in HTTP responses, enabling low-impact confidentiality breaches that could facilitate further attacks against the system.

IBM's security advisory at https://www.ibm.com/support/pages/node/7159533 details the issue and provides guidance on mitigations or patches for the affected versions.

Details

CWE(s): CWE-201 NVD-CWE-noinfo

Affected Products

ibm

cloud pak system

2.3.3.0, 2.3.3.3, 2.3.3.4, 2.3.3.5, 2.3.3.6

CVEs Like This One

CVE-2023-38272Same product: Ibm Cloud Pak System

CVE-2023-38713Same product: Ibm Cloud Pak System

CVE-2023-38716Same product: Ibm Cloud Pak System

CVE-2023-38714Same product: Ibm Cloud Pak System

CVE-2023-38010Same product: Ibm Cloud Pak System

CVE-2024-56340Same vendor: Ibm

CVE-2024-43187Same vendor: Ibm

CVE-2025-0162Same vendor: Ibm

CVE-2024-28766Same vendor: Ibm

CVE-2025-14480Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7159533
Vendor Advisory · psirt@us.ibm.com