PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-0297 IBM CVE debrief

CVE-2016-0297 is a low-severity information disclosure issue in IBM endpoint management software where a missing HTTP Strict-Transport-Security (HSTS) header could let a network attacker use man-in-the-middle techniques to obtain sensitive information. NVD assigns this issue CVSS 3.0 3.7 (Low) with confidentiality impact only.

Vendor
IBM
Product
Bigfix Platform
CVSS
LOW 3.7
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-01
Original CVE updated
2026-05-13
Advisory published
2017-02-01
Advisory updated
2026-05-13

Who should care

Organizations running the affected IBM endpoint management product line identified in NVD as BigFix Platform 9.0, 9.1, 9.2, or 9.5, and teams responsible for TLS/security header configuration, should review exposure. Security administrators and network defenders should care most where users or admins access the product over untrusted networks or where interception risk is non-trivial.

Technical summary

The NVD record maps this issue to CWE-200 and a CVSS v3.0 vector of AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The weakness is the absence of an HSTS header, which reduces protection against SSL/TLS downgrade or interception scenarios and can allow disclosure of sensitive information if traffic is intercepted. The supplied description attributes the issue to IBM Tivoli Endpoint Manager - Mobile Device Management, while NVD CPE coverage lists IBM BigFix Platform 9.0/9.1/9.2/9.5.

Defensive priority

Moderate for exposed administrative or mobile-device-management deployments, but generally lower than integrity- or availability-impacting flaws. Prioritize if the product is reachable from untrusted networks or is used by users likely to connect through hostile Wi‑Fi, proxies, or other interception-prone paths.

Recommended defensive actions

  • Review IBM advisory SWG21993214 for vendor-specific remediation guidance and affected release details.
  • Verify whether your deployed IBM endpoint management versions match the NVD-listed BigFix Platform 9.0, 9.1, 9.2, or 9.5 CPEs.
  • Ensure HSTS is enabled and correctly delivered on all relevant HTTPS endpoints serving the product.
  • Confirm TLS is enforced end-to-end and that administrative access is not exposed through interception-prone networks without additional protections.
  • Use the NVD record and vendor advisory to validate whether a product update, configuration change, or compensating control is available in your environment.

Evidence notes

CVE publishedAt: 2017-02-01T20:59:00.207Z; modifiedAt: 2026-05-13T00:24:29.033Z. Source corpus describes the flaw as a missing HTTP Strict-Transport-Security header that could allow sensitive-information disclosure via man-in-the-middle techniques. NVD classifies it as CWE-200 and provides CVSS v3.0 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. NVD CPE criteria list IBM BigFix Platform versions 9.0, 9.1, 9.2, and 9.5. References supplied include the IBM PSIRT advisory and a SecurityFocus BID entry.

Official resources

Publicly disclosed in the CVE record on 2017-02-01 and later modified in NVD on 2026-05-13. The supplied corpus does not include exploit or weaponization details, only the vulnerability description and advisory references.