CVE-2023-38713

Medium

Published: 25 January 2025

Published

25 January 2025

Modified

13 August 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0010 26.3th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38713 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Ibm Cloud Pak System. Its CVSS base score is 5.3 (Medium).

Operationally, ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the specific information disclosure flaw (CWE-209) in vulnerable IBM Cloud Pak System versions by identifying, reporting, and correcting it promptly.

AU-13 Monitoring for Information Disclosure good match

detect

Monitors systems specifically for unauthorized disclosures of sensitive information, enabling detection of exploitation of this CVE.

SI-15 Information Output Filtering partial match

prevent

Filters sensitive system information from outputs, mitigating the disclosure of reconnaissance-enabling details accessible over the network.

NVD Description

IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could disclose sensitive information about the system that could aid in further attacks against the system.

Deeper analysisAI

CVE-2023-38713 is an information disclosure vulnerability (CWE-209) affecting specific versions of IBM Cloud Pak System, including 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1. The issue enables the exposure of sensitive system information, which could assist attackers in planning subsequent exploits against the system. It has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact and no impact on integrity or availability.

Network-accessible attackers require no privileges, user interaction, or special conditions to exploit this vulnerability due to its low attack complexity. Successful exploitation yields limited sensitive system details, providing reconnaissance value that could facilitate more targeted attacks but does not directly compromise the system's integrity, availability, or high-value confidentiality.

IBM's security advisory, available at https://www.ibm.com/support/pages/node/7159533, provides details on the vulnerability and recommended mitigations for affected systems.

Details

CWE(s): CWE-209

Affected Products

ibm

cloud pak system

2.3.0.0, 2.3.3.0, 2.3.3.3, 2.3.3.4, 2.3.3.5

CVEs Like This One

CVE-2023-38716Same product: Ibm Cloud Pak System

CVE-2023-38714Same product: Ibm Cloud Pak System

CVE-2023-38272Same product: Ibm Cloud Pak System

CVE-2023-38010Same product: Ibm Cloud Pak System

CVE-2023-38013Same product: Ibm Cloud Pak System

CVE-2025-13726Same vendor: Ibm

CVE-2024-56340Same vendor: Ibm

CVE-2024-43187Same vendor: Ibm

CVE-2025-0162Same vendor: Ibm

CVE-2024-28766Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7159533
Vendor Advisory · psirt@us.ibm.com