Cyber Resilience

CVE-2023-43040

Medium

Published: 14 May 2024

Published
14 May 2024
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0759 92.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-43040 is a medium-severity Insufficient Granularity of Access Control (CWE-1220) vulnerability in Ibm Storage Fusion Hci. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

IBM Spectrum Fusion HCI versions 2.5.2 through 2.7.2 contain a vulnerability that permits unauthorized actions against the RGW component of Ceph because of improper bucket access controls. The flaw is tracked under CWE-1220 and carries a CVSS 3.1 score of 6.5 reflecting network attack vector, high attack complexity, and no required privileges or user interaction.

An unauthenticated remote attacker can leverage the issue to alter data (high integrity impact) and to a lesser extent disrupt availability within the affected Ceph RGW environment. Exploitation requires no credentials and can be performed over the network, although the high complexity rating indicates non-trivial conditions must be met.

The associated EPSS score reached a peak of 0.1017 before receding to the current value of 0.0759, indicating limited sustained exploitation interest after disclosure. IBM has published remediation guidance at the referenced support page for affected Spectrum Fusion HCI deployments.

EU & UK References

Vulnerability details

IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access. IBM X-Force ID: 266807.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ibm
storage fusion hci
2.5.2 — 2.8.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-1220

Use of granular security and privacy attributes enables finer access control than coarse permission models alone.

addresses: CWE-1220

Documenting interface characteristics enables more granular control over internal access.

addresses: CWE-1220

Requires the architecture to describe granularity and placement of controls, preventing insufficiently fine-grained access decisions.

addresses: CWE-1220

Provides the necessary granularity by placing system management functions outside the reach of user-level access controls.

addresses: CWE-1220

Isolation supplies an explicit, enforceable granularity boundary between security and non-security functions that coarser access-control schemes lack.

References