CVE-2023-38281
Unknown Unknown - Not Provided
Missing Secure Attribute on IBM Cloud Pak System Cookies Enables Cookie Theft

Publication date: 2026-02-04

Last updated on: 2026-02-25

Assigner: IBM Corporation

Description
IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-25
Generated
2026-05-07
AI Q&A
2026-02-04
EPSS Evaluated
2026-05-05
NVD
CVE-2023-38281
EUVD
EUVD-2023-42101
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
ibm cloud_pak_system 2.3.4.0
ibm cloud_pak_system 2.3.4.1
ibm cloud_pak_system 2.3.4.1
ibm cloud_pak_system 2.3.5.0
ibm cloud_pak_system 2.3.6.0
ibm os_image_for_red_hat_linux_systems 4.0.4.0
ibm os_image_for_red_hat_linux_systems 4.0.5.0
ibm os_image_for_red_hat_linux_systems 4.0.6.0
ibm os_image_for_red_hat_linux_systems 4.0.7.0
ibm os_image_for_red_hat_linux_systems 5.0.0.0
ibm os_image_for_red_hat_linux_systems 5.0.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs because IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies.

Without the secure attribute, these cookies can be sent over unencrypted HTTP connections.

An attacker can exploit this by sending a user a link using the HTTP protocol or by placing such a link on a website the user visits.

When the user accesses the HTTP link, the browser sends the cookies over an insecure connection, allowing the attacker to intercept and obtain the cookie values by snooping the traffic.


How can this vulnerability impact me? :

The impact of this vulnerability is that attackers may be able to steal authorization tokens or session cookies.

With these stolen cookies, attackers could potentially impersonate the user or gain unauthorized access to the user's session.

This could lead to unauthorized access to sensitive information or systems.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart