CVE-2023-38267: 
IBM Security Verify Access (formerly ISAM) vulnerability analysis and mitigation

IBM Security Access Manager Appliance (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) could allow a local user to possibly elevate their privileges due to sensitive configuration information being exposed. The vulnerability was discovered and disclosed in January 2024, identified as CVE-2023-38267 with IBM X-Force ID: 260584 (IBM Advisory).

The vulnerability has a CVSS v3.1 Base Score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The attack requires local access with low attack complexity and low privileges. No user interaction is needed, and while the scope is unchanged, it can result in high confidentiality impact without affecting integrity or availability (NVD).

The vulnerability exposes sensitive configuration information that could potentially allow local users to elevate their privileges. The primary impact is on confidentiality, with high potential for exposure of sensitive data (IBM Advisory).

IBM has released security updates to address this vulnerability. Users are encouraged to update their IBM Security Verify Access systems to version 10.0.7-ISS-ISVA-FP0000 or later. For Docker container deployments, users should pull the latest version using the command 'docker pull icr.io/isva/verify-access:[tag]' (IBM Advisory).