CVE-2023-38716

Medium

Published: 25 January 2025

Published

25 January 2025

Modified

13 August 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0010 26.3th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38716 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Ibm Cloud Pak System. Its CVSS base score is 5.3 (Medium).

Operationally, ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the information disclosure vulnerability by identifying, testing, and applying vendor patches as provided in IBM's security advisory.

SC-14 Public Access Protections good match

prevent

Enforces approved authorizations and protections for public or unauthenticated access to system resources, preventing exposure of sensitive system information to remote attackers.

SI-15 Information Output Filtering good match

prevent

Filters and sanitizes information outputs to block the disclosure of sensitive system details to unauthenticated remote users.

NVD Description

IBM Cloud Pak System 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, and 2.3.4.0 could disclose sensitive information about the system that could aid in further attacks against the system.

Deeper analysisAI

CVE-2023-38716 is an information disclosure vulnerability (CWE-209) in IBM Cloud Pak System versions 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, and 2.3.4.0. The issue enables the exposure of sensitive system information, with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity due to low confidentiality impact over the network.

An unauthenticated remote attacker can exploit this vulnerability with low attack complexity and no user interaction. Exploitation discloses sensitive system details that could assist in planning and executing further attacks against the affected system.

IBM's security advisory at https://www.ibm.com/support/pages/node/7148474 provides details on mitigation, including available patches for the listed versions.

Details

CWE(s): CWE-209

Affected Products

ibm

cloud pak system

2.3.3.6, 2.3.3.7, 2.3.4.0

CVEs Like This One

CVE-2023-38713Same product: Ibm Cloud Pak System

CVE-2023-38714Same product: Ibm Cloud Pak System

CVE-2023-38272Same product: Ibm Cloud Pak System

CVE-2023-38010Same product: Ibm Cloud Pak System

CVE-2023-38013Same product: Ibm Cloud Pak System

CVE-2025-13726Same vendor: Ibm

CVE-2024-56340Same vendor: Ibm

CVE-2024-43187Same vendor: Ibm

CVE-2025-0162Same vendor: Ibm

CVE-2024-28766Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7148474
Vendor Advisory · psirt@us.ibm.com