Cyber Resilience

CVE-2023-38713

Medium

Published: 25 January 2025

Published
25 January 2025
Modified
13 August 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0010 26.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38713 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Ibm Cloud Pak System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Information Discovery (T1082); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-38713 is an information disclosure vulnerability (CWE-209) affecting specific versions of IBM Cloud Pak System, including 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1. The issue enables the exposure of sensitive system information, which could assist attackers in planning subsequent exploits against the system. It has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact and no impact on integrity or availability.

Network-accessible attackers require no privileges, user interaction, or special conditions to exploit this vulnerability due to its low attack complexity. Successful exploitation yields limited sensitive system details, providing reconnaissance value that could facilitate more targeted attacks but does not directly compromise the system's integrity, availability, or high-value confidentiality.

IBM's security advisory, available at https://www.ibm.com/support/pages/node/7159533, provides details on the vulnerability and recommended mitigations for affected systems.

EU & UK References

Vulnerability details

IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could disclose sensitive information about the system that could aid in further attacks against the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
T1526 Cloud Service Discovery Discovery
An adversary may attempt to enumerate the cloud services running on a system after gaining access.
Why these techniques?

Direct info disclosure of sensitive system details enables unauthenticated System Information Discovery (T1082) and Cloud Service Discovery (T1526) on the affected IBM Cloud Pak platform.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-38716Same product: Ibm Cloud Pak System
CVE-2023-38714Same product: Ibm Cloud Pak System
CVE-2023-38010Same product: Ibm Cloud Pak System
CVE-2023-38013Same product: Ibm Cloud Pak System
CVE-2023-38272Same product: Ibm Cloud Pak System
CVE-2024-52367Same vendor: Ibm
CVE-2025-13726Same vendor: Ibm
CVE-2025-3356Same vendor: Ibm
CVE-2025-0162Same vendor: Ibm
CVE-2025-12531Same vendor: Ibm

Affected Assets

ibm
cloud pak system
2.3.0.0, 2.3.3.0, 2.3.3.3, 2.3.3.4, 2.3.3.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific information disclosure flaw (CWE-209) in vulnerable IBM Cloud Pak System versions by identifying, reporting, and correcting it promptly.

detect

Monitors systems specifically for unauthorized disclosures of sensitive information, enabling detection of exploitation of this CVE.

prevent

Filters sensitive system information from outputs, mitigating the disclosure of reconnaissance-enabling details accessible over the network.

References