CVE-2023-43016: 
IBM Security Verify Access (formerly ISAM) vulnerability analysis and mitigation

IBM Security Access Manager Container (IBM Security Verify Access Appliance and Docker versions 10.0.0.0 through 10.0.6.1) contains a vulnerability that could allow a remote user to log into the server due to a user account with an empty password (IBM Advisory). The vulnerability was disclosed in February 2024 and is tracked as CVE-2023-43016 with IBM X-Force ID: 266154.

The vulnerability is classified with a CVSS v3.1 Base Score of 7.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. This indicates the vulnerability is network accessible, requires low attack complexity, needs no privileges or user interaction, and has low impacts on confidentiality, integrity, and availability. The weakness is categorized as CWE-521 (Weak Password Requirements) by NIST and CWE-258 (Empty Password in Configuration File) by IBM Corporation (NVD).

The vulnerability allows remote attackers to gain unauthorized access to the server through an account with an empty password. This could lead to compromised system security with potential impacts on confidentiality, integrity, and availability of the system, though all are rated as Low severity in the CVSS scoring (IBM Advisory).

IBM has released version 10.0.7-ISS-ISVA-FP0000 to address this vulnerability. For Docker Container users, the fix can be obtained by running the command 'docker pull icr.io/isva/verify-access:[tag]' with the latest published version tag. For ISAM/ISVA appliances, users should obtain and install the latest version from IBM's support portal (IBM Advisory).