CVE-2023-38714
Published: 25 January 2025
Summary
CVE-2023-38714 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Ibm Cloud Pak System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Information Discovery (T1082); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2023-38714 is an information disclosure vulnerability (CWE-209) affecting specific versions of IBM Cloud Pak System, including 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1. The flaw enables the exposure of sensitive system information, which could assist attackers in planning subsequent exploits against the system.
The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Exploitation results in low-impact confidentiality loss, providing reconnaissance data without affecting integrity or availability.
IBM has published a security bulletin at https://www.ibm.com/support/pages/node/7159533 detailing the vulnerability, affected versions, and recommended mitigations or patches.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-42489
Vulnerability details
IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could disclose sensitive information about the system that could aid in further attacks against the system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct information disclosure of sensitive system details enables System Information Discovery (T1082) for reconnaissance.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the specific information disclosure flaw in affected IBM Cloud Pak System versions through patching as recommended in the IBM security bulletin.
Filters system-generated outputs to prevent unauthorized disclosure of sensitive system information exploitable remotely by unauthenticated attackers.
Monitors systems for unauthorized disclosure of sensitive information, enabling detection of exploitation attempts via this reconnaissance vulnerability.