PatchSiren cyber security CVE debrief
CVE-2016-10086 Ca CVE debrief
CVE-2016-10086 is a high-severity access-control issue in CA Service Desk Manager 12.9 and CA Service Desk Management 14.1. According to the NVD description, incorrect permissions on a RESTful request could let a remote authenticated user read or modify task information. The risk is primarily unauthorized access to sensitive task data and potential tampering with task records.
- Vendor
- Ca
- Product
- CVE-2016-10086
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-18
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-18
- Advisory updated
- 2026-05-13
Who should care
Administrators, security teams, and application owners running CA Service Desk Manager 12.9 or CA Service Desk Management 14.1, especially environments that expose RESTful web services to authenticated users.
Technical summary
NVD lists the issue as network-reachable with low attack complexity and low privileges required (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). The weakness is categorized by NVD as CWE-264. The vulnerable components identified in the NVD CPE data are CA Service Desk Manager 12.9 and CA Service Desk Management 14.1. The flaw stems from incorrect permissions applied to a RESTful request, allowing an authenticated attacker to read or alter task information.
Defensive priority
High. The combination of network reachability, authenticated access, and high confidentiality/integrity impact makes this a priority for patching and access review.
Recommended defensive actions
- Apply the vendor remediation referenced in the CA security notice for CA Service Desk Manager.
- Verify that CA Service Desk Manager 12.9 and CA Service Desk Management 14.1 are upgraded or otherwise remediated.
- Review REST endpoint authorization to confirm authenticated users can only access task records they are meant to see or change.
- Audit task-related access logs for unexpected reads or modifications by authenticated accounts.
- Restrict exposure of the affected RESTful services to trusted networks and only necessary users until remediation is complete.
Evidence notes
The NVD record for CVE-2016-10086 describes a RESTful web services permission issue affecting CA Service Desk Manager 12.9 and CA Service Desk Management 14.1. NVD lists the CVSS v3.0 vector as AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N and identifies CWE-264. The NVD references include the CA vendor security notice URL, which is the primary remediation reference in the supplied corpus. Published date used here is the CVE/NVD publication date of 2017-01-18; the 2026-05-13 timestamp is the record modification date, not the vulnerability disclosure date.
Official resources
-
CVE-2016-10086 CVE record
CVE.org
-
CVE-2016-10086 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Publicly disclosed in the CVE/NVD record on 2017-01-18, with the CA vendor security notice referenced by NVD as the remediation source. The NVD entry was later modified on 2026-05-13; that modified date is not the original disclosure date.