PatchSiren cyber security CVE debrief

CVE-2016-0203 IBM CVE debrief

CVE-2016-0203 is an information disclosure issue in IBM Cloud Orchestrator’s task API. According to the NVD record, an authenticated user may be able to view background information associated with actions performed on virtual machines in projects where that user belongs. The issue was published on 2017-02-08 and is rated Medium severity with a CVSS 3.0 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.

Vendor: IBM
Product: CVE-2016-0203
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-08
Original CVE updated: 2026-05-13
Advisory published: 2017-02-08
Advisory updated: 2026-05-13

Who should care

IBM Cloud Orchestrator and IBM SmartCloud Orchestrator administrators, cloud platform operators, and security teams responsible for tenant/project isolation and API access control. Any environment exposing task API data to authenticated project members should review exposure and patch status.

Technical summary

The NVD record maps this issue to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability affects IBM Cloud Orchestrator 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3, 2.5, 2.5.01, and IBM SmartCloud Orchestrator 2.3 and 2.3.0.1. The reported impact is confidentiality-only: a low-privileged authenticated user may learn background information tied to VM actions within projects they are part of. NVD lists CVSS 3.0 as AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.

Defensive priority

Medium. The issue is limited to authenticated access and does not indicate integrity or availability impact, but it can expose sensitive operational details about virtual machine activity within tenant/project boundaries.

Recommended defensive actions

Review IBM’s advisory for the vendor-recommended patch or upgrade path and apply it promptly.
Confirm all affected IBM Cloud Orchestrator and SmartCloud Orchestrator instances are updated to a non-vulnerable release.
Audit task API authorization to ensure authenticated users can only access data strictly required for their role and project.
Check logs and access records for unusual reads of task or VM action history.
Validate tenant/project separation in API responses and remove any unnecessary background information from user-visible task data.

Evidence notes

This debrief is based on the NVD CVE record and the IBM vendor advisory reference linked in the source corpus. The source corpus identifies the vulnerability as an information disclosure issue, lists affected product versions, and provides IBM’s advisory and a third-party SecurityFocus entry. No fixed version details were present in the supplied corpus, so remediation guidance is limited to following the IBM advisory.

Official resources

CVE-2016-0203 CVE record
CVE.org
CVE-2016-0203 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

Publicly disclosed and recorded in CVE/NVD on 2017-02-08. The supplied source corpus includes an IBM PSIRT advisory reference and a SecurityFocus entry.