CVE-2023-38739

Medium

Published: 31 January 2025

Published

31 January 2025

Modified

05 March 2025

KEV Added

—

Patch

—

CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS Score 0.0013 31.3th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38739 is a medium-severity CSRF (CWE-352) vulnerability in Ibm Sterling B2B Integrator. Its CVSS base score is 4.3 (Medium).

Operationally, ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 directly addresses the CVE by requiring identification, reporting, and correction of the specific CSRF flaw through vendor-recommended patches.

SC-23 Session Authenticity good match

prevent

SC-23 enforces session authenticity mechanisms like CSRF tokens to prevent attackers from executing unauthorized actions on behalf of authenticated users.

SI-10 Information Input Validation partial match

prevent

SI-10 requires validation of information inputs, including CSRF tokens or origin headers, to block forged requests exploiting the vulnerability.

NVD Description

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Deeper analysisAI

CVE-2023-38739 is a cross-site request forgery (CSRF) vulnerability, mapped to CWE-352, in IBM Sterling B2B Integrator versions 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3. Published on 2025-01-31, it carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no required privileges, user interaction needed, and low integrity impact.

An unauthenticated attacker can exploit this by crafting a malicious webpage or link that, when visited by an authenticated user, triggers unauthorized requests to the vulnerable IBM Sterling B2B Integrator instance. This allows the attacker to execute malicious actions on behalf of the trusted user, such as modifying application state or performing unintended operations, relying on the absence of proper CSRF protections.

IBM's security advisory at https://www.ibm.com/support/pages/node/7182004 provides details on the vulnerability, including recommended patches and mitigation guidance for affected versions. Security practitioners should review this resource promptly to apply updates and implement defenses like CSRF tokens.

Details

CWE(s): CWE-352

Affected Products

ibm

sterling b2b integrator

6.0.0.0 — 6.1.2.5 · 6.2.0.0 — 6.2.0.3

CVEs Like This One

CVE-2024-31903Same product: Ibm Sterling B2B Integrator

CVE-2023-50316Same product: Ibm Sterling B2B Integrator

CVE-2026-1264Same product: Ibm Sterling B2B Integrator

CVE-2025-36375Same vendor: Ibm

CVE-2025-36368Same product: Ibm Sterling B2B Integrator

CVE-2025-14031Same product: Ibm Sterling B2B Integrator

CVE-2024-49352Same vendor: Ibm

CVE-2025-36070Same vendor: Ibm

CVE-2023-49886Same vendor: Ibm

CVE-2023-43029Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7182004
Vendor Advisory · psirt@us.ibm.com