CVE-2023-38281
Unknown Unknown - Not Provided
Missing Secure Attribute on IBM Cloud Pak System Cookies Enables Cookie Theft

Publication date: 2026-02-04

Last updated on: 2026-02-25

Assigner: IBM Corporation

Description
IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-14
NVD
CVE-2023-38281
EUVD
EUVD-2023-42101
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
ibm cloud_pak_system 2.3.4.0
ibm cloud_pak_system 2.3.4.1
ibm cloud_pak_system 2.3.4.1
ibm cloud_pak_system 2.3.5.0
ibm cloud_pak_system 2.3.6.0
ibm os_image_for_red_hat_linux_systems 4.0.4.0
ibm os_image_for_red_hat_linux_systems 4.0.5.0
ibm os_image_for_red_hat_linux_systems 4.0.6.0
ibm os_image_for_red_hat_linux_systems 4.0.7.0
ibm os_image_for_red_hat_linux_systems 5.0.0.0
ibm os_image_for_red_hat_linux_systems 5.0.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs because IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies.

Without the secure attribute, these cookies can be sent over unencrypted HTTP connections.

An attacker can exploit this by sending a user a link using the HTTP protocol or by placing such a link on a website the user visits.

When the user accesses the HTTP link, the browser sends the cookies over an insecure connection, allowing the attacker to intercept and obtain the cookie values by snooping the traffic.

Impact Analysis

The impact of this vulnerability is that attackers may be able to steal authorization tokens or session cookies.

With these stolen cookies, attackers could potentially impersonate the user or gain unauthorized access to the user's session.

This could lead to unauthorized access to sensitive information or systems.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-38281. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart