IBM Cloud Pak System
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in IBM Cloud Pak System.
By the Year
In 2026 there have been 5 vulnerabilities in IBM Cloud Pak System with an average score of 5.1 out of ten. Last year, in 2025 Cloud Pak System had 10 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Cloud Pak System in 2026 could surpass last years number. Last year, the average CVE base score was greater by 1.56
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 5 | 5.10 |
| 2025 | 10 | 6.66 |
| 2024 | 1 | 7.50 |
| 2023 | 1 | 4.20 |
| 2022 | 1 | 0.00 |
| 2021 | 1 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 8 | 5.98 |
It may take a day or so for new Cloud Pak System vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent IBM Cloud Pak System Security Vulnerabilities
IBM Cloud Pak System 2.3.3.65.0 - Auth User Bypass IA to Run Unauth Tasks
CVE-2023-38005
4.3 - Medium
- February 17, 2026
IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could allow an authenticated user to perform unauthorized tasks due to improper access controls.
Authorization
IBM Cloud Pak System 2.3.x Folder Info Leak to UnAuth Attacker
CVE-2023-38265
5.3 - Medium
- February 17, 2026
IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could disclose folder location information to an unauthenticated attacker that could aid in further attacks against the system.
Exposure of Information Through Directory Listing
IBM Cloud Pak: Cookies Lacking Secure Attribute Allow Cookie Theft
CVE-2023-38281
5.3 - Medium
- February 04, 2026
IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
Generation of Error Message Containing Sensitive Information
IBM Cloud Pak System: XSS Allowing Arbitrary JavaScript Injection
CVE-2023-38017
5.3 - Medium
- February 04, 2026
IBM Cloud Pak System is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Generation of Error Message Containing Sensitive Information
IBM Cloud Pak System InfoDisclosure via user msgs
CVE-2023-38010
5.3 - Medium
- February 04, 2026
IBM Cloud Pak System displays sensitive information in user messages that could aid in further attacks against the system.
Generation of Error Message Containing Sensitive Information
IBM Cloud Pak Sys 2.3.3.6-2.3.4.1: HTML Injection Remote Exec
CVE-2025-2895
5.4 - Medium
- June 30, 2025
IBM Cloud Pak System 2.3.3.6, 2.3.36 iFix1, 2.3.3.7, 2.3.3.7 iFix1, 2.3.4.0, 2.3.4.1, and 2.3.4.1 iFix1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
XSS
HTML Injection in IBM Cloud Pak System 2.3.3.6-2.3.5.0 (Power & Intel OS)
CVE-2023-38007
5.4 - Medium
- June 27, 2025
IBM Cloud Pak System 2.3.5.0, 2.3.3.7, 2.3.3.7 iFix1 on Power and 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.4.0, 2.3.4.1 on Intel operating systems is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
XSS
IBM Cloud Pak Sys 2.3.x Mem Disclosure Vulnerability
CVE-2023-37405
6.5 - Medium
- March 27, 2025
IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, 2.3.4.0, and 2.3.4.1 stores sensitive data in memory, that could be obtained by an unauthorized user.
Missing Encryption of Sensitive Data
IBM Cloud Pak System <2.3.4.1 CLI args info disclosure
CVE-2023-38272
7.5 - High
- March 27, 2025
IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, 2.3.4.0, and 2.3.4.1 could allow a user with access to the network to obtain sensitive information from CLI arguments.
Man-in-the-Middle / MITM
IBM Cloud Pak System 2.3.3.02.3.3.7 iFix Disclosure
CVE-2023-38714
7.5 - High
- January 25, 2025
IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could disclose sensitive information about the system that could aid in further attacks against the system.
Generation of Error Message Containing Sensitive Information
IBM Cloud Pak Sys 2.3.3.6 Remote Path Traversal via crafted URL
CVE-2023-38012
5.3 - Medium
- January 25, 2025
IBM Cloud Pak System 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, and 2.3.4.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
Directory traversal
IBM Cloud Pak 2.x Sensitive Info Disclosure in HTTP Response
CVE-2023-38013
7.5 - High
- January 25, 2025
IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could disclose sensitive information in HTTP responses that could aid in further attacks against the system.
Insertion of Sensitive Information Into Sent Data
IBM Cloud Pak System 2.3.3.x Authenticated Log Info Leak
CVE-2023-38271
6.5 - Medium
- January 25, 2025
IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could allow an authenticated user to obtain sensitive information from log files.
Insertion of Sensitive Information into Log File
IBM Cloud Pak System 2.3.3.7 Data Disclosure (CVE-2023-38713)
CVE-2023-38713
7.5 - High
- January 25, 2025
IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could disclose sensitive information about the system that could aid in further attacks against the system.
Generation of Error Message Containing Sensitive Information
IBM Cloud Pak System 2.3.3.62.3.4.0 Info Disclosure (CVE202338716)
CVE-2023-38716
7.5 - High
- January 25, 2025
IBM Cloud Pak System 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, and 2.3.4.0 could disclose sensitive information about the system that could aid in further attacks against the system.
Generation of Error Message Containing Sensitive Information
IBM Cloud Pak System 2.3.1.1-2.3.3.7 Account Lockout Bypass
CVE-2023-38273
7.5 - High
- February 02, 2024
IBM Cloud Pak System 2.3.1.1, 2.3.2.0, and 2.3.3.7 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 260733.
Improper Restriction of Excessive Authentication Attempts
IBM Cloud Pak 2.3.3.0-2.3.3.5 logout invalidation failure, local impersonation
CVE-2020-4914
4.2 - Medium
- May 05, 2023
IBM Cloud Pak System Suite 2.3.3.0 through 2.3.3.5 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 191290.
Insufficient Session Expiration
IBM Cloud Pak System 2.3.0 through 2.3.3.3 Interim Fix 1 uses weaker than expected cryptographic algorithms
CVE-2021-20479
- May 09, 2022
IBM Cloud Pak System 2.3.0 through 2.3.3.3 Interim Fix 1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 197498.
IBM Cloud Pak System 2.3 could allow a local user in some situations to view the artifacts of another user in self service console
CVE-2021-20478
- July 20, 2021
IBM Cloud Pak System 2.3 could allow a local user in some situations to view the artifacts of another user in self service console. IBM X-Force ID: 197497.
IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user
CVE-2019-4095
4.3 - Medium
- December 10, 2019
IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015.
Session Riding
Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection
CVE-2019-4521
9.8 - Critical
- December 10, 2019
Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 165179.
CSV Injection
IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting
CVE-2019-4468
5.4 - Medium
- December 03, 2019
IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163777.
XSS
IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting
CVE-2019-4467
5.4 - Medium
- December 03, 2019
IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163776.
XSS
IBM Cloud Pak System 2.3 and 2.3.0.1 allows web pages to be stored locally which can be read by another user on the system
CVE-2019-4465
3.3 - Low
- December 03, 2019
IBM Cloud Pak System 2.3 and 2.3.0.1 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 163774.
Improper Privilege Management
IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting
CVE-2019-4226
5.4 - Medium
- December 03, 2019
IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 159243.
XSS
IBM Cloud Pak System 2.3 and 2.3.0.1 could
CVE-2019-4130
8.8 - High
- December 03, 2019
IBM Cloud Pak System 2.3 and 2.3.0.1 could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. IBM X-Force ID: 158280.
Unrestricted File Upload
IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting
CVE-2019-4098
5.4 - Medium
- December 03, 2019
IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158020.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for IBM Cloud Pak System or by IBM? Click the Watch button to subscribe.
