Cyber Resilience

CVE-2023-38714

Medium

Published: 25 January 2025

Published
25 January 2025
Modified
13 August 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0010 26.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38714 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Ibm Cloud Pak System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Information Discovery (T1082); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2023-38714 is an information disclosure vulnerability (CWE-209) affecting specific versions of IBM Cloud Pak System, including 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1. The flaw enables the exposure of sensitive system information, which could assist attackers in planning subsequent exploits against the system.

The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Exploitation results in low-impact confidentiality loss, providing reconnaissance data without affecting integrity or availability.

IBM has published a security bulletin at https://www.ibm.com/support/pages/node/7159533 detailing the vulnerability, affected versions, and recommended mitigations or patches.

EU & UK References

Vulnerability details

IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could disclose sensitive information about the system that could aid in further attacks against the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Why these techniques?

Direct information disclosure of sensitive system details enables System Information Discovery (T1082) for reconnaissance.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-38716Same product: Ibm Cloud Pak System
CVE-2023-38713Same product: Ibm Cloud Pak System
CVE-2023-38010Same product: Ibm Cloud Pak System
CVE-2023-38013Same product: Ibm Cloud Pak System
CVE-2023-38272Same product: Ibm Cloud Pak System
CVE-2024-52367Same vendor: Ibm
CVE-2025-13726Same vendor: Ibm
CVE-2025-3356Same vendor: Ibm
CVE-2025-0162Same vendor: Ibm
CVE-2025-12531Same vendor: Ibm

Affected Assets

ibm
cloud pak system
2.3.3.0, 2.3.3.3, 2.3.3.4, 2.3.3.5, 2.3.3.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific information disclosure flaw in affected IBM Cloud Pak System versions through patching as recommended in the IBM security bulletin.

prevent

Filters system-generated outputs to prevent unauthorized disclosure of sensitive system information exploitable remotely by unauthenticated attackers.

detect

Monitors systems for unauthorized disclosure of sensitive information, enabling detection of exploitation attempts via this reconnaissance vulnerability.

References