CVE-2023-38714

Medium

Published: 25 January 2025

Published

25 January 2025

Modified

13 August 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0010 26.3th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38714 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Ibm Cloud Pak System. Its CVSS base score is 5.3 (Medium).

Operationally, ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific information disclosure flaw in affected IBM Cloud Pak System versions through patching as recommended in the IBM security bulletin.

SI-15 Information Output Filtering good match

prevent

Filters system-generated outputs to prevent unauthorized disclosure of sensitive system information exploitable remotely by unauthenticated attackers.

AU-13 Monitoring for Information Disclosure good match

detect

Monitors systems for unauthorized disclosure of sensitive information, enabling detection of exploitation attempts via this reconnaissance vulnerability.

NVD Description

IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could disclose sensitive information about the system that could aid in further attacks against the system.

Deeper analysisAI

CVE-2023-38714 is an information disclosure vulnerability (CWE-209) affecting specific versions of IBM Cloud Pak System, including 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1. The flaw enables the exposure of sensitive system information, which could assist attackers in planning subsequent exploits against the system.

The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Exploitation results in low-impact confidentiality loss, providing reconnaissance data without affecting integrity or availability.

IBM has published a security bulletin at https://www.ibm.com/support/pages/node/7159533 detailing the vulnerability, affected versions, and recommended mitigations or patches.

Details

CWE(s): CWE-209

Affected Products

ibm

cloud pak system

2.3.3.0, 2.3.3.3, 2.3.3.4, 2.3.3.5, 2.3.3.6

CVEs Like This One

CVE-2023-38713Same product: Ibm Cloud Pak System

CVE-2023-38716Same product: Ibm Cloud Pak System

CVE-2023-38272Same product: Ibm Cloud Pak System

CVE-2023-38010Same product: Ibm Cloud Pak System

CVE-2023-38013Same product: Ibm Cloud Pak System

CVE-2025-13726Same vendor: Ibm

CVE-2024-56340Same vendor: Ibm

CVE-2024-43187Same vendor: Ibm

CVE-2025-0162Same vendor: Ibm

CVE-2024-28766Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7159533
Vendor Advisory · psirt@us.ibm.com