Invalid Token Allows Unauthorized Access to IdP Configuration
CVE-2023-38367

6.5MEDIUM

Key Information:

Vendor: IBM
Status: Cloud Pak For Automation
Vendor: CVE Published:; 29 February 2024

What is CVE-2023-38367?

The IBM Cloud Pak Foundational Services Identity Provider API is susceptible to unauthorized access due to insufficient token validation. Attackers can exploit this vulnerability to perform Create, Read, Update, and Delete (CRUD) operations on IdP configurations using an invalid token. This flaw poses serious risks, including unauthorized viewing and manipulation of sensitive user identity data, which may compromise the security of the affected systems.

Affected Version(s)

Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, 22.0.2

References

https://www.ibm.com/support/pages/node/7015271

vendor-advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/261130

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 29, 2024
Vulnerability Reserved
Jul 16, 2023