{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-38281", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2023-07-14T00:46:27.165Z", "datePublished": "2026-02-04T20:45:05.686Z", "dateUpdated": "2026-02-04T20:45:05.686Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:ibm:cloud_pak_system:2.3.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:cloud_pak_system:2.3.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:cloud_pak_system:2.3.4.1:ifix1:*:*:*:*:*:*", "cpe:2.3:a:ibm:cloud_pak_system:2.3.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:cloud_pak_system:2.3.6.0:*:*:*:*:*:*:*"], "product": "Cloud Pak System", "vendor": "IBM", "versions": [{"status": "affected", "version": "2.3.4.0", "versionType": "semver"}, {"status": "affected", "version": "2.3.4.1", "versionType": "semver"}, {"status": "affected", "version": "2.3.4.1 Interim Fix 001", "versionType": "semver"}, {"status": "affected", "version": "2.3.5.0"}, {"status": "affected", "version": "2.3.6.0"}]}, {"product": "OS Image for Red Hat Linux Systems", "vendor": "IBM", "versions": [{"status": "affected", "version": "4.0.4.0"}, {"status": "affected", "version": "4.0.5.0"}, {"status": "affected", "version": "4.0.6.0"}, {"status": "affected", "version": "4.0.7.0"}, {"status": "affected", "version": "5.0.0.0"}, {"status": "affected", "version": "5.0.1.0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>IBM Cloud Pak System <span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.</span></span></p>"}], "value": "IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-02-04T20:45:05.686Z"}, "references": [{"tags": ["vendor-advisory", "patch"], "url": "https://www.ibm.com/support/pages/node/7254419"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><p><strong>IBM strongly recommends addressing the vulnerabilities now by <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/node/7254396\">upgrading to version 2.3.6.1</a></strong><strong>. </strong></p><p>IBM Cloud Pak System provides OS image for Red Hat Enterprise Linux System 4.0.8.0 based on Red Hat Enterprise Linux 8.10 and OS image for Red Hat Enterprise Linux System 5.0.3 based on Red Hat Enterprise Linux 9.6. IBM Cloud Pak System provides IBM WebSphere Application Server Liberty V25.0.0.9; IBM Storage Scale is also upgraded to IBM Storage Scale V5.2.3.3.</p><p>For Power, contact IBM Support.</p><p>This Security bulletin applies to IBM Cloud Pak System, IBM Cloud Pak System Software, and IBM Cloud Pak System Software Suite.</p><p>Information on upgrading here <a target=\"_blank\" rel=\"nofollow\" href=\"http://www.ibm.com/support/docview.wss?uid=ibm10887959\">http://www.ibm.com/support/docview.wss?uid=ibm10887959</a></p></div><p>For unsupported versions the recommendation is to upgrade to a supported version of the product.</p><br>"}], "value": "IBM strongly recommends addressing the vulnerabilities now by http://www.ibm.com/support/docview.wss?uid=ibm10887959 \n\n\n\nFor unsupported versions the recommendation is to upgrade to a supported version of the product."}], "title": "Multiple Vulnerabilities in IBM Cloud Pak System", "x_generator": {"engine": "ibm-cvegen"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic."}], "id": "CVE-2023-38281", "lastModified": "2026-02-04T21:15:56.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2026-02-04T21:15:56.640", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7254419"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{}