Cyber Resilience

CVE-2023-38013

Medium

Published: 25 January 2025

Published
25 January 2025
Modified
13 August 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0010 26.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38013 is a medium-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Ibm Cloud Pak System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2023-38013 affects IBM Cloud Pak System versions 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1. The vulnerability involves the disclosure of sensitive information in HTTP responses, classified under CWE-201 (Exposure of Sensitive Information to an Unauthorized Actor), with additional NVD-CWE-noinfo notation. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity primarily due to confidentiality impact.

Attackers with network access can exploit this vulnerability without authentication, privileges, or user interaction, requiring only low attack complexity. Exploitation discloses sensitive information in HTTP responses, enabling low-impact confidentiality breaches that could facilitate further attacks against the system.

IBM's security advisory at https://www.ibm.com/support/pages/node/7159533 details the issue and provides guidance on mitigations or patches for the affected versions.

EU & UK References

Vulnerability details

IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could disclose sensitive information in HTTP responses that could aid in further attacks against the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct info disclosure via unauthenticated HTTP responses on a public-facing IBM Cloud Pak System instance enables exploitation of the public application for reconnaissance.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-38272Same product: Ibm Cloud Pak System
CVE-2023-38716Same product: Ibm Cloud Pak System
CVE-2023-38714Same product: Ibm Cloud Pak System
CVE-2023-38713Same product: Ibm Cloud Pak System
CVE-2026-8633Same vendor: Ibm
CVE-2025-0159Same vendor: Ibm
CVE-2023-49886Same vendor: Ibm
CVE-2026-1343Same vendor: Ibm
CVE-2026-8620Same vendor: Ibm
CVE-2024-39750Same vendor: Ibm

Affected Assets

ibm
cloud pak system
2.3.3.0, 2.3.3.3, 2.3.3.4, 2.3.3.5, 2.3.3.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the flaw causing sensitive information disclosure in HTTP responses through identification, reporting, and correction of vulnerabilities in affected IBM Cloud Pak System versions.

prevent

Filters sensitive information content from HTTP responses before sharing with non-privileged or unauthorized network actors.

prevent

Restricts and controls sensitive information posted or accessible via the system's publicly facing HTTP interfaces.

References