CVE-2023-38005 PUBLISHED

Improper Access Control and Exposure of Information Through Directory Listing vulnerabilities affect IBM Cloud Pak System[, ]

Assigner: ibm
Reserved: 11.07.2023 Published: 17.02.2026 Updated: 17.02.2026

IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could allow an authenticated user to perform unauthorized tasks due to improper access controls.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	IBM
Product	Cloud Pak System
Versions	affected from 2.3.3.6 to 2.1.0 (incl.) Version 2.3.3.7 is affected Version 2.3.4.0 is affected Version 2.3.4.1 is affected Version 2.3.5.0 is affected

Solutions

This Security Bulletin applies to IBM Cloud Pak System, IBM Cloud Pak System Software, IBM Cloud Pak System Software Suite. For Intel releases, IBM strongly recommends addressing this vulnerability now by upgrading to v2.3.4.1 Interim Fix 1 or latest upgrade to Cloud Pak System 2.3.6.1 , For Power, contact IBM Support. For unsupported versions the recommendation is to upgrade/migrate to supported version of the product.

References

https://www.ibm.com/support/pages/node/7259955

Problem Types

CWE-284 Improper Access Control CWE