CVE-2023-38370: 
IBM Security Access Manager (ISAM) vulnerability analysis and mitigation

IBM Security Access Manager Docker versions 10.0.0.0 through 10.0.7.1, under certain configurations, was found to contain a security vulnerability that could allow network users to install malicious packages. The vulnerability was discovered and reported to IBM by Pierre Barre, and was assigned CVE-2023-38370. The issue was publicly disclosed on June 27, 2024, and received a CVSS v3.1 base score of 7.5 (High) (IBM Advisory).

The vulnerability has been assessed with a CVSS v3.1 Vector of CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that it requires adjacent network access and high attack complexity, but needs no privileges or user interaction. The vulnerability is related to incorrect default permissions (CWE-276) and affects the security configuration of the Docker container (NVD).

If exploited, this vulnerability could allow an attacker on the network to install malicious packages, potentially leading to high impacts on confidentiality, integrity, and availability of the system. The high CVSS score reflects the significant potential impact of successful exploitation (IBM Advisory).

IBM has released version 10.0.8.0 to address this vulnerability. Users are strongly encouraged to update their systems promptly. For Docker Container installations, users should obtain the latest version by running the command 'docker pull icr.io/isva/verify-access:[tag]' where [tag] is the latest published version (IBM Advisory).