CVE-2023-38281 in Cloud Pak System
Summary
by MITRE • 02/04/2026
IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/26/2026
The vulnerability identified as CVE-2023-38281 affects IBM Cloud Pak System, a comprehensive platform for deploying and managing cloud-native applications. This security flaw represents a critical weakness in the system's session management implementation where authorization tokens and session cookies are transmitted without proper security attributes. The absence of the secure attribute on these cookies creates a significant attack vector that directly violates fundamental web security principles and industry best practices. The vulnerability stems from the system's failure to properly configure HTTP cookies to only be transmitted over encrypted connections, leaving user sessions exposed to interception attacks.
The technical flaw manifests when the IBM Cloud Pak System generates session cookies or authorization tokens that lack the secure flag in their HTTP headers. This configuration error means that cookies can be transmitted over both HTTP and HTTPS connections, creating opportunities for attackers to capture these sensitive credentials. The vulnerability is particularly dangerous because it can be exploited through simple means such as sending malicious http:// links to victims or embedding such links within compromised websites that users visit. When a user clicks on these links, the browser automatically sends the session cookies to the insecure HTTP endpoint, allowing attackers to intercept and decode the cookie values during network traffic snooping.
The operational impact of this vulnerability extends beyond simple credential theft, as it enables attackers to establish unauthorized access to user sessions and potentially escalate privileges within the IBM Cloud Pak environment. According to CWE-614, this represents a weakness in cookie security where sensitive information is transmitted over insecure channels, making it susceptible to man-in-the-middle attacks and session hijacking. The vulnerability directly maps to ATT&CK technique T1566, which involves the initial access phase through spearphishing with a link, where attackers can leverage the insecure cookie transmission to gain unauthorized access to systems. This weakness fundamentally undermines the integrity of the authentication mechanism and compromises the confidentiality of user session data.
Organizations affected by this vulnerability should immediately implement mitigations including configuring all session cookies and authorization tokens to include the secure attribute, enforcing mandatory HTTPS connections, and implementing additional security headers such as HttpOnly and SameSite. The recommended remediation involves updating the IBM Cloud Pak System configuration to ensure that all cookies are transmitted only over encrypted channels and that proper security headers are implemented. Additionally, organizations should conduct comprehensive network traffic monitoring to detect potential exploitation attempts and implement web application firewalls to prevent malicious link delivery. This vulnerability highlights the critical importance of proper cookie security configuration as outlined in OWASP Top Ten and NIST cybersecurity guidelines, emphasizing that even seemingly minor configuration errors can lead to significant security breaches.