CVE-2023-38716
Published: 25 January 2025
Summary
CVE-2023-38716 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Ibm Cloud Pak System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Information Discovery (T1082); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2023-38716 is an information disclosure vulnerability (CWE-209) in IBM Cloud Pak System versions 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, and 2.3.4.0. The issue enables the exposure of sensitive system information, with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity due to low confidentiality impact over the network.
An unauthenticated remote attacker can exploit this vulnerability with low attack complexity and no user interaction. Exploitation discloses sensitive system details that could assist in planning and executing further attacks against the affected system.
IBM's security advisory at https://www.ibm.com/support/pages/node/7148474 provides details on mitigation, including available patches for the listed versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-42491
Vulnerability details
IBM Cloud Pak System 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, and 2.3.4.0 could disclose sensitive information about the system that could aid in further attacks against the system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables disclosure of sensitive system details to unauthenticated remote attackers, facilitating System Information Discovery.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the information disclosure vulnerability by identifying, testing, and applying vendor patches as provided in IBM's security advisory.
Enforces approved authorizations and protections for public or unauthenticated access to system resources, preventing exposure of sensitive system information to remote attackers.
Filters and sanitizes information outputs to block the disclosure of sensitive system details to unauthenticated remote users.