Cyber Resilience

CVE-2023-38716

Medium

Published: 25 January 2025

Published
25 January 2025
Modified
13 August 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0010 26.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38716 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Ibm Cloud Pak System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Information Discovery (T1082); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2023-38716 is an information disclosure vulnerability (CWE-209) in IBM Cloud Pak System versions 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, and 2.3.4.0. The issue enables the exposure of sensitive system information, with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity due to low confidentiality impact over the network.

An unauthenticated remote attacker can exploit this vulnerability with low attack complexity and no user interaction. Exploitation discloses sensitive system details that could assist in planning and executing further attacks against the affected system.

IBM's security advisory at https://www.ibm.com/support/pages/node/7148474 provides details on mitigation, including available patches for the listed versions.

EU & UK References

Vulnerability details

IBM Cloud Pak System 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, and 2.3.4.0 could disclose sensitive information about the system that could aid in further attacks against the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Why these techniques?

Vulnerability directly enables disclosure of sensitive system details to unauthenticated remote attackers, facilitating System Information Discovery.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-38714Same product: Ibm Cloud Pak System
CVE-2023-38713Same product: Ibm Cloud Pak System
CVE-2023-38010Same product: Ibm Cloud Pak System
CVE-2023-38013Same product: Ibm Cloud Pak System
CVE-2023-38272Same product: Ibm Cloud Pak System
CVE-2024-52367Same vendor: Ibm
CVE-2025-13726Same vendor: Ibm
CVE-2025-3356Same vendor: Ibm
CVE-2025-0162Same vendor: Ibm
CVE-2025-12531Same vendor: Ibm

Affected Assets

ibm
cloud pak system
2.3.3.6, 2.3.3.7, 2.3.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the information disclosure vulnerability by identifying, testing, and applying vendor patches as provided in IBM's security advisory.

prevent

Enforces approved authorizations and protections for public or unauthenticated access to system resources, preventing exposure of sensitive system information to remote attackers.

prevent

Filters and sanitizes information outputs to block the disclosure of sensitive system details to unauthenticated remote users.

References