CVE-2023-38367

CWE-287 — Improper Authentication3 documents3 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 76.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Cloud PAK FOR Automation IBM Cloud PAK FOR Business Automation

Timeline

PublishedFeb 29

Description

IBM Cloud Pak Foundational Services Identity Provider (idP) API (IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2) allows CRUD Operations with an invalid token. This could allow an unauthenticated attacker to view, update, delete or create an IdP configuration. IBM X-Force ID: 261130.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5ibm/cloud_pak_for_automation18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, 22.0.2

▶NVDibm/cloud_pak15 versions+14

🔴Vulnerability Details

CVEList

IBM Cloud Pak for Automation authentication bypass↗2024-02-29

▶

GHSA

GHSA-6hmj-wm73-g83p: IBM Cloud Pak Foundational Services Identity Provider (idP) API (IBM Cloud Pak for Automation 18↗2024-02-29

▶