PatchSiren cyber security CVE debrief
CVE-2016-0202 IBM CVE debrief
CVE-2016-0202 is a low-severity information disclosure issue in IBM Cloud Orchestrator. According to the NVD description, an authenticated user could view any task in the current user’s domain through the application’s tasks backend object. The published CVSS 3.0 vector indicates low confidentiality impact with no integrity or availability impact.
- Vendor
- IBM
- Product
- CVE-2016-0202
- CVSS
- LOW 3.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-08
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-08
- Advisory updated
- 2026-05-13
Who should care
IBM Cloud Orchestrator administrators, operators, and security teams responsible for task visibility and access control in affected deployments should review this issue. It also matters to anyone with authenticated access in a multi-user IBM Cloud Orchestrator environment, since the flaw concerns cross-task visibility within a domain.
Technical summary
The vulnerability is classified by NVD as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). NVD lists affected IBM Cloud Orchestrator versions as 2.3, 2.3.0.1, 2.4, 2.4.0.1, 2.4.0.2, and 2.4.0.3. The CVSS v3.0 vector is AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, which is consistent with a local, authenticated information disclosure issue rather than code execution or privilege escalation.
Defensive priority
Low to moderate. The severity is low, but the issue affects authenticated access controls and can expose task data within a domain. Prioritize remediation if the system stores sensitive operational details in tasks or if multiple tenants/users share the environment.
Recommended defensive actions
- Apply the IBM remediation guidance referenced by the vendor advisory in the NVD record.
- Review task visibility and authorization settings in IBM Cloud Orchestrator to ensure authenticated users only see tasks they are meant to access.
- Audit current deployments for affected IBM Cloud Orchestrator versions listed by NVD and plan upgrades or patches accordingly.
- Restrict authenticated access to the minimum necessary roles and monitor for unexpected task enumeration or browsing patterns.
- Validate that sensitive operational details are not unnecessarily stored in task records or task metadata.
Evidence notes
The supplied corpus includes the NVD record and references to an IBM support advisory and a SecurityFocus entry. The vulnerability description states that an authenticated user can view any task of the current user’s domain. NVD’s metadata classifies the weakness as CWE-200 and lists affected Cloud Orchestrator versions. No exploit code, proof-of-concept, or KEV designation is present in the supplied data.
Official resources
-
CVE-2016-0202 CVE record
CVE.org
-
CVE-2016-0202 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Publicly disclosed in the CVE record on 2017-02-08. The provided data shows a later NVD modification date of 2026-05-13, but that is not the original issue date. No Known Exploited Vulnerabilities listing or ransomware association is shown.