CVE-2023-38281

Published: Feb 4, 2026Modified: Feb 25, 2026

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: psirt@us.ibm.com

Description

IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

Affected (11)

Products: Ibm: Cloud Pak System, Os Image For Red Hat Linux Systems

Ibm

2 products

Cloud Pak System

Os Image For Red Hat Linux Systems

Configuration A

11 vulnerable

Vulnerable Software	Affected Versions
Ibm Cloud Pak System	Version 2.3.4.0
Ibm Cloud Pak System	Version 2.3.4.1
Ibm Cloud Pak System	Version 2.3.4.1 ifix1
Ibm Cloud Pak System	Version 2.3.5.0
Ibm Cloud Pak System	Version 2.3.6.0
Ibm Os Image For Red Hat Linux Systems	Version 4.0.4.0
Ibm Os Image For Red Hat Linux Systems	Version 4.0.5.0
Ibm Os Image For Red Hat Linux Systems	Version 4.0.6.0
Ibm Os Image For Red Hat Linux Systems	Version 4.0.7.0
Ibm Os Image For Red Hat Linux Systems	Version 5.0.0.0
Ibm Os Image For Red Hat Linux Systems	Version 5.0.1.0

Related CWEs

CWE-209

Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

References (1)

https://www.ibm.com/support/pages/node/7254419

Source: psirt@us.ibm.com

Vendor Advisory

Timeline

No history available yet.