CVE-2023-38281 (GCVE-0-2023-38281)
Vulnerability from cvelistv5
Published
2026-02-04 20:45
Modified
2026-02-05 14:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Summary
IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Cloud Pak System |
Version: 2.3.4.0 ≤ Version: 2.3.4.1 ≤ Version: 2.3.4.1 Interim Fix 001 ≤ Version: 2.3.5.0 Version: 2.3.6.0 cpe:2.3:a:ibm:cloud_pak_system:2.3.4.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_system:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_system:2.3.4.1:ifix1:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_system:2.3.5.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_system:2.3.6.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T14:24:52.006031Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T14:32:12.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cloud_pak_system:2.3.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_system:2.3.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_system:2.3.4.1:ifix1:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_system:2.3.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_system:2.3.6.0:*:*:*:*:*:*:*"
],
"product": "Cloud Pak System",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2.3.4.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "2.3.4.1",
"versionType": "semver"
},
{
"status": "affected",
"version": "2.3.4.1 Interim Fix 001",
"versionType": "semver"
},
{
"status": "affected",
"version": "2.3.5.0"
},
{
"status": "affected",
"version": "2.3.6.0"
}
]
},
{
"product": "OS Image for Red Hat Linux Systems",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "4.0.4.0"
},
{
"status": "affected",
"version": "4.0.5.0"
},
{
"status": "affected",
"version": "4.0.6.0"
},
{
"status": "affected",
"version": "4.0.7.0"
},
{
"status": "affected",
"version": "5.0.0.0"
},
{
"status": "affected",
"version": "5.0.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Cloud Pak System \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edoes not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.\u003c/span\u003e\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:45:05.686Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7254419"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cp\u003e\u003cstrong\u003eIBM strongly recommends addressing the vulnerabilities now by \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7254396\"\u003eupgrading to version 2.3.6.1\u003c/a\u003e\u003c/strong\u003e\u003cstrong\u003e. \u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIBM Cloud Pak System provides OS image for Red Hat Enterprise Linux System 4.0.8.0 based on Red Hat Enterprise Linux 8.10 and OS image for Red Hat Enterprise Linux System 5.0.3 based on Red Hat Enterprise Linux 9.6. IBM Cloud Pak System provides IBM WebSphere Application Server Liberty V25.0.0.9; IBM Storage Scale is also upgraded to IBM Storage Scale V5.2.3.3.\u003c/p\u003e\u003cp\u003eFor Power, contact IBM Support.\u003c/p\u003e\u003cp\u003eThis Security bulletin applies to IBM Cloud Pak System, IBM Cloud Pak System Software, and IBM Cloud Pak System Software Suite.\u003c/p\u003e\u003cp\u003eInformation on upgrading here \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.ibm.com/support/docview.wss?uid=ibm10887959\"\u003ehttp://www.ibm.com/support/docview.wss?uid=ibm10887959\u003c/a\u003e\u003c/p\u003e\u003c/div\u003e\u003cp\u003eFor unsupported versions the recommendation is to upgrade to a supported version of the product.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerabilities now by http://www.ibm.com/support/docview.wss?uid=ibm10887959 \n\n\n\nFor unsupported versions the recommendation is to upgrade to a supported version of the product."
}
],
"title": "Multiple Vulnerabilities in IBM Cloud Pak System",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-38281",
"datePublished": "2026-02-04T20:45:05.686Z",
"dateReserved": "2023-07-14T00:46:27.165Z",
"dateUpdated": "2026-02-05T14:32:12.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-38281\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-05T14:24:52.006031Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-05T14:24:52.643Z\"}}], \"cna\": {\"title\": \"Multiple Vulnerabilities in IBM Cloud Pak System\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ibm:cloud_pak_system:2.3.4.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_system:2.3.4.1:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_system:2.3.4.1:ifix1:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_system:2.3.5.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:cloud_pak_system:2.3.6.0:*:*:*:*:*:*:*\"], \"vendor\": \"IBM\", \"product\": \"Cloud Pak System\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.3.4.0\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"2.3.4.1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"2.3.4.1 Interim Fix 001\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"2.3.5.0\"}, {\"status\": \"affected\", \"version\": \"2.3.6.0\"}]}, {\"vendor\": \"IBM\", \"product\": \"OS Image for Red Hat Linux Systems\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0.4.0\"}, {\"status\": \"affected\", \"version\": \"4.0.5.0\"}, {\"status\": \"affected\", \"version\": \"4.0.6.0\"}, {\"status\": \"affected\", \"version\": \"4.0.7.0\"}, {\"status\": \"affected\", \"version\": \"5.0.0.0\"}, {\"status\": \"affected\", \"version\": \"5.0.1.0\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"IBM strongly recommends addressing the vulnerabilities now by http://www.ibm.com/support/docview.wss?uid=ibm10887959 \\n\\n\\n\\nFor unsupported versions the recommendation is to upgrade to a supported version of the product.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003e\u003cp\u003e\u003cstrong\u003eIBM strongly recommends addressing the vulnerabilities now by \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.ibm.com/support/pages/node/7254396\\\"\u003eupgrading to version 2.3.6.1\u003c/a\u003e\u003c/strong\u003e\u003cstrong\u003e. \u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIBM Cloud Pak System provides OS image for Red Hat Enterprise Linux System 4.0.8.0 based on Red Hat Enterprise Linux 8.10 and OS image for Red Hat Enterprise Linux System 5.0.3 based on Red Hat Enterprise Linux 9.6. IBM Cloud Pak System provides IBM WebSphere Application Server Liberty V25.0.0.9; IBM Storage Scale is also upgraded to IBM Storage Scale V5.2.3.3.\u003c/p\u003e\u003cp\u003eFor Power, contact IBM Support.\u003c/p\u003e\u003cp\u003eThis Security bulletin applies to IBM Cloud Pak System, IBM Cloud Pak System Software, and IBM Cloud Pak System Software Suite.\u003c/p\u003e\u003cp\u003eInformation on upgrading here \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"http://www.ibm.com/support/docview.wss?uid=ibm10887959\\\"\u003ehttp://www.ibm.com/support/docview.wss?uid=ibm10887959\u003c/a\u003e\u003c/p\u003e\u003c/div\u003e\u003cp\u003eFor unsupported versions the recommendation is to upgrade to a supported version of the product.\u003c/p\u003e\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.ibm.com/support/pages/node/7254419\", \"tags\": [\"vendor-advisory\", \"patch\"]}], \"x_generator\": {\"engine\": \"ibm-cvegen\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIBM Cloud Pak System \u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003edoes not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.\u003c/span\u003e\u003c/span\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-209\", \"description\": \"CWE-209 Generation of Error Message Containing Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"shortName\": \"ibm\", \"dateUpdated\": \"2026-02-04T20:45:05.686Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-38281\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-05T14:32:12.741Z\", \"dateReserved\": \"2023-07-14T00:46:27.165Z\", \"assignerOrgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"datePublished\": \"2026-02-04T20:45:05.686Z\", \"assignerShortName\": \"ibm\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…