Vulnerability Details : CVE-2023-38367
IBM Cloud Pak Foundational Services Identity Provider (idP) API (IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2) allows CRUD Operations with an invalid token. This could allow an unauthenticated attacker to view, update, delete or create an IdP configuration. IBM X-Force ID: 261130.
Products affected by CVE-2023-38367
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.1:interim_fix_007:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.1:interim_fix_004:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.1:interim_fix_002:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.1:interim_fix_003:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.1:interim_fix_006:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.1:interim_fix_005:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.1:interim_fix_001:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:interim_fix_009:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:interim_fix_007:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:interim_fix_004:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:interim_fix_008:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:interim_fix_002:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:interim_fix_003:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:interim_fix_006:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:interim_fix_005:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:interim_fix_001:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_003:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_006:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_005:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_001:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_007:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_004:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_008:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_002:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:interim_fix_0012:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.2:-:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:interim_fix_010:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:interim_fix_011:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.2:interim_fix_012:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.2:interim_fix_001:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_009:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_010:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_011:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_012:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_013:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_014:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_015:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_016:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_017:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.1:interim_fix_006:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.1:interim_fix_005:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.1:interim_fix_004:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.1:interim_fix_003:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.1:interim_fix_002:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.1:interim_fix_001:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.1:-:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_018:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_019:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_020:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.2:interim_fix_004:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.2:interim_fix_003:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.2:interim_fix_002:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:18.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:19.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:20.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_021:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:21.0.3:interim_fix_022:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.2:interim_fix_005:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:22.0.2:interim_fix_006:*:*:*:*:*:*
- cpe:2.3:a:ibm:cloud_pak_for_business_automation:23.0.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-38367
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 19 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-38367
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
NIST | 2024-12-16 |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
IBM Corporation | 2024-02-29 |
References for CVE-2023-38367
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/261130
IBM Cloud Pak for Automation authentication bypass CVE-2023-38367 Vulnerability ReportVendor Advisory
-
https://www.ibm.com/support/pages/node/7015271
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for July 2023Vendor Advisory
Jump to