CVE-2023-38367: IBM Cloud Pak for Automation authentication bypass
First published: Fri Jul 28 2023(Updated: )
IBM Cloud Pak Foundational Services Identity Provider (idP) API (IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2) allows CRUD Operations with an invalid token. This could allow an unauthenticated attacker to view, update, delete or create an IdP configuration. IBM X-Force ID: 261130.
Credit: psirt@us.ibm.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Cloud Pak for Business Automation | <=V23.0.1 | |
| IBM Cloud Pak for Business Automation | <=V21.0.3 - V21.0.3-IF022 | |
| IBM Cloud Pak for Business Automation | <=V22.0.2 - V22.0.2-IF006 and later fixesV22.0.1 - V22.0.1-IF006 and later fixesV21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes | |
| IBM Cloud Pak for Business Automation | =18.0.0 | |
| IBM Cloud Pak for Business Automation | =18.0.1 | |
| IBM Cloud Pak for Business Automation | =18.0.2 | |
| IBM Cloud Pak for Business Automation | =19.0.1 | |
| IBM Cloud Pak for Business Automation | =19.0.2 | |
| IBM Cloud Pak for Business Automation | =19.0.3 | |
| IBM Cloud Pak for Business Automation | =20.0.1 | |
| IBM Cloud Pak for Business Automation | =20.0.2 | |
| IBM Cloud Pak for Business Automation | =20.0.3 | |
| IBM Cloud Pak for Business Automation | =21.0.1 | |
| IBM Cloud Pak for Business Automation | =21.0.1-interim_fix_001 | |
| IBM Cloud Pak for Business Automation | =21.0.1-interim_fix_002 | |
| IBM Cloud Pak for Business Automation | =21.0.1-interim_fix_003 | |
| IBM Cloud Pak for Business Automation | =21.0.1-interim_fix_004 | |
| IBM Cloud Pak for Business Automation | =21.0.1-interim_fix_005 | |
| IBM Cloud Pak for Business Automation | =21.0.1-interim_fix_006 | |
| IBM Cloud Pak for Business Automation | =21.0.1-interim_fix_007 | |
| IBM Cloud Pak for Business Automation | =21.0.2 | |
| IBM Cloud Pak for Business Automation | =21.0.2-interim_fix_001 | |
| IBM Cloud Pak for Business Automation | =21.0.2-interim_fix_0012 | |
| IBM Cloud Pak for Business Automation | =21.0.2-interim_fix_002 | |
| IBM Cloud Pak for Business Automation | =21.0.2-interim_fix_003 | |
| IBM Cloud Pak for Business Automation | =21.0.2-interim_fix_004 | |
| IBM Cloud Pak for Business Automation | =21.0.2-interim_fix_005 | |
| IBM Cloud Pak for Business Automation | =21.0.2-interim_fix_006 | |
| IBM Cloud Pak for Business Automation | =21.0.2-interim_fix_007 | |
| IBM Cloud Pak for Business Automation | =21.0.2-interim_fix_008 | |
| IBM Cloud Pak for Business Automation | =21.0.2-interim_fix_009 | |
| IBM Cloud Pak for Business Automation | =21.0.2-interim_fix_010 | |
| IBM Cloud Pak for Business Automation | =21.0.2-interim_fix_011 | |
| IBM Cloud Pak for Business Automation | =21.0.2-interim_fix_012 | |
| IBM Cloud Pak for Business Automation | =21.0.3 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_001 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_002 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_003 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_004 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_005 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_006 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_007 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_008 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_009 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_010 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_011 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_012 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_013 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_014 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_015 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_016 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_017 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_018 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_019 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_020 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_021 | |
| IBM Cloud Pak for Business Automation | =21.0.3-interim_fix_022 | |
| IBM Cloud Pak for Business Automation | =22.0.1 | |
| IBM Cloud Pak for Business Automation | =22.0.1-interim_fix_001 | |
| IBM Cloud Pak for Business Automation | =22.0.1-interim_fix_002 | |
| IBM Cloud Pak for Business Automation | =22.0.1-interim_fix_003 | |
| IBM Cloud Pak for Business Automation | =22.0.1-interim_fix_004 | |
| IBM Cloud Pak for Business Automation | =22.0.1-interim_fix_005 | |
| IBM Cloud Pak for Business Automation | =22.0.1-interim_fix_006 | |
| IBM Cloud Pak for Business Automation | =22.0.2 | |
| IBM Cloud Pak for Business Automation | =22.0.2-interim_fix_001 | |
| IBM Cloud Pak for Business Automation | =22.0.2-interim_fix_002 | |
| IBM Cloud Pak for Business Automation | =22.0.2-interim_fix_003 | |
| IBM Cloud Pak for Business Automation | =22.0.2-interim_fix_004 | |
| IBM Cloud Pak for Business Automation | =22.0.2-interim_fix_005 | |
| IBM Cloud Pak for Business Automation | =22.0.2-interim_fix_006 | |
| IBM Cloud Pak for Business Automation | =23.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-38367?
CVE-2023-38367 has been rated as a high-severity vulnerability due to the potential for unauthorized access to sensitive operations.
How do I fix CVE-2023-38367?
To remediate CVE-2023-38367, upgrade to the latest version of IBM Cloud Pak for Business Automation that addresses this vulnerability.
What versions of IBM Cloud Pak for Business Automation are affected by CVE-2023-38367?
CVE-2023-38367 affects multiple versions including 18.0.0 through 23.0.1.
What kind of attack can CVE-2023-38367 facilitate?
CVE-2023-38367 could allow an attacker to perform unauthorized CRUD operations using an invalid token.
Is there a workaround for CVE-2023-38367 if immediate patching is not possible?
IBM recommends implementing strict token validation as an immediate measure until an official fix can be applied.
- agent/title
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/severity
- agent/author
- agent/event
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/softwarecombine
- agent/trending
- agent/tags
- agent/source
- vendor/ibm
- canonical/ibm cloud pak for business automation
- version/ibm cloud pak for business automation/v23.0.1
- version/ibm cloud pak for business automation/v21.0.3 - v21.0.3-if022
- version/ibm cloud pak for business automation/v22.0.2 - v22.0.2-if006 and later fixesv22.0.1 - v22.0.1-if006 and later fixesv21.0.2 - v21.0.2-if012 and later fixesv21.0.1 - v21.0.1-if007 and later fixesv20.0.1 - v20.0.3 and later fixesv19.0.1 - v19.0.3 and later fixesv18.0.0 - v18.0.2 and later fixes
- version/ibm cloud pak for business automation/18.0.0
- version/ibm cloud pak for business automation/18.0.1
- version/ibm cloud pak for business automation/18.0.2
- version/ibm cloud pak for business automation/19.0.1
- version/ibm cloud pak for business automation/19.0.2
- version/ibm cloud pak for business automation/19.0.3
- version/ibm cloud pak for business automation/20.0.1
- version/ibm cloud pak for business automation/20.0.2
- version/ibm cloud pak for business automation/20.0.3
- version/ibm cloud pak for business automation/21.0.1
- version/ibm cloud pak for business automation/21.0.1-interim_fix_001
- version/ibm cloud pak for business automation/21.0.1-interim_fix_002
- version/ibm cloud pak for business automation/21.0.1-interim_fix_003
- version/ibm cloud pak for business automation/21.0.1-interim_fix_004
- version/ibm cloud pak for business automation/21.0.1-interim_fix_005
- version/ibm cloud pak for business automation/21.0.1-interim_fix_006
- version/ibm cloud pak for business automation/21.0.1-interim_fix_007
- version/ibm cloud pak for business automation/21.0.2
- version/ibm cloud pak for business automation/21.0.2-interim_fix_001
- version/ibm cloud pak for business automation/21.0.2-interim_fix_0012
- version/ibm cloud pak for business automation/21.0.2-interim_fix_002
- version/ibm cloud pak for business automation/21.0.2-interim_fix_003
- version/ibm cloud pak for business automation/21.0.2-interim_fix_004
- version/ibm cloud pak for business automation/21.0.2-interim_fix_005
- version/ibm cloud pak for business automation/21.0.2-interim_fix_006
- version/ibm cloud pak for business automation/21.0.2-interim_fix_007
- version/ibm cloud pak for business automation/21.0.2-interim_fix_008
- version/ibm cloud pak for business automation/21.0.2-interim_fix_009
- version/ibm cloud pak for business automation/21.0.2-interim_fix_010
- version/ibm cloud pak for business automation/21.0.2-interim_fix_011
- version/ibm cloud pak for business automation/21.0.2-interim_fix_012
- version/ibm cloud pak for business automation/21.0.3
- version/ibm cloud pak for business automation/21.0.3-interim_fix_001
- version/ibm cloud pak for business automation/21.0.3-interim_fix_002
- version/ibm cloud pak for business automation/21.0.3-interim_fix_003
- version/ibm cloud pak for business automation/21.0.3-interim_fix_004
- version/ibm cloud pak for business automation/21.0.3-interim_fix_005
- version/ibm cloud pak for business automation/21.0.3-interim_fix_006
- version/ibm cloud pak for business automation/21.0.3-interim_fix_007
- version/ibm cloud pak for business automation/21.0.3-interim_fix_008
- version/ibm cloud pak for business automation/21.0.3-interim_fix_009
- version/ibm cloud pak for business automation/21.0.3-interim_fix_010
- version/ibm cloud pak for business automation/21.0.3-interim_fix_011
- version/ibm cloud pak for business automation/21.0.3-interim_fix_012
- version/ibm cloud pak for business automation/21.0.3-interim_fix_013
- version/ibm cloud pak for business automation/21.0.3-interim_fix_014
- version/ibm cloud pak for business automation/21.0.3-interim_fix_015
- version/ibm cloud pak for business automation/21.0.3-interim_fix_016
- version/ibm cloud pak for business automation/21.0.3-interim_fix_017
- version/ibm cloud pak for business automation/21.0.3-interim_fix_018
- version/ibm cloud pak for business automation/21.0.3-interim_fix_019
- version/ibm cloud pak for business automation/21.0.3-interim_fix_020
- version/ibm cloud pak for business automation/21.0.3-interim_fix_021
- version/ibm cloud pak for business automation/21.0.3-interim_fix_022
- version/ibm cloud pak for business automation/22.0.1
- version/ibm cloud pak for business automation/22.0.1-interim_fix_001
- version/ibm cloud pak for business automation/22.0.1-interim_fix_002
- version/ibm cloud pak for business automation/22.0.1-interim_fix_003
- version/ibm cloud pak for business automation/22.0.1-interim_fix_004
- version/ibm cloud pak for business automation/22.0.1-interim_fix_005
- version/ibm cloud pak for business automation/22.0.1-interim_fix_006
- version/ibm cloud pak for business automation/22.0.2
- version/ibm cloud pak for business automation/22.0.2-interim_fix_001
- version/ibm cloud pak for business automation/22.0.2-interim_fix_002
- version/ibm cloud pak for business automation/22.0.2-interim_fix_003
- version/ibm cloud pak for business automation/22.0.2-interim_fix_004
- version/ibm cloud pak for business automation/22.0.2-interim_fix_005
- version/ibm cloud pak for business automation/22.0.2-interim_fix_006
- version/ibm cloud pak for business automation/23.0.1