Executive Summary

CVE-2023-38265 is a vulnerability in IBM Cloud Pak System versions 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 that allows an unauthenticated attacker to obtain folder location information through directory listing.

This exposure of folder location information can help attackers by revealing system structure details, which could be used to plan further attacks against the system.

The vulnerability is classified under CWE-548 (Exposure of Information Through Directory Listing) and has a CVSS v3 base score of 5.3, indicating a moderate severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated attacker to gain knowledge of folder locations within your IBM Cloud Pak System.

With this information, attackers may be able to conduct further targeted attacks against your system, potentially compromising security.

Although the confidentiality impact is considered low, the exposure of directory information can be a stepping stone for more serious exploits.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

I don't know

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate CVE-2023-38265, IBM recommends upgrading affected IBM Cloud Pak System versions to fixed releases.

• Upgrade Intel-based systems to Cloud Pak System version 2.3.4.1 Interim Fix 1 or the latest version 2.3.6.1.
• For Power systems, contact IBM Support for guidance.
• Upgrade or migrate unsupported versions to supported versions.

No workarounds or other mitigations are provided, so applying the recommended upgrades is the immediate step to reduce risk.

Useful 0 Not Useful 0