PatchSiren cyber security CVE debrief

CVE-2016-0297 IBM CVE debrief

CVE-2016-0297 is a low-severity information disclosure issue in IBM endpoint management software where a missing HTTP Strict-Transport-Security (HSTS) header could let a network attacker use man-in-the-middle techniques to obtain sensitive information. NVD assigns this issue CVSS 3.0 3.7 (Low) with confidentiality impact only.

Vendor: IBM
Product: CVE-2016-0297
CVSS: LOW 3.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-01
Original CVE updated: 2026-05-13
Advisory published: 2017-02-01
Advisory updated: 2026-05-13

Who should care

Organizations running the affected IBM endpoint management product line identified in NVD as BigFix Platform 9.0, 9.1, 9.2, or 9.5, and teams responsible for TLS/security header configuration, should review exposure. Security administrators and network defenders should care most where users or admins access the product over untrusted networks or where interception risk is non-trivial.

Technical summary

The NVD record maps this issue to CWE-200 and a CVSS v3.0 vector of AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The weakness is the absence of an HSTS header, which reduces protection against SSL/TLS downgrade or interception scenarios and can allow disclosure of sensitive information if traffic is intercepted. The supplied description attributes the issue to IBM Tivoli Endpoint Manager - Mobile Device Management, while NVD CPE coverage lists IBM BigFix Platform 9.0/9.1/9.2/9.5.

Defensive priority

Moderate for exposed administrative or mobile-device-management deployments, but generally lower than integrity- or availability-impacting flaws. Prioritize if the product is reachable from untrusted networks or is used by users likely to connect through hostile Wi‑Fi, proxies, or other interception-prone paths.

Recommended defensive actions

Review IBM advisory SWG21993214 for vendor-specific remediation guidance and affected release details.
Verify whether your deployed IBM endpoint management versions match the NVD-listed BigFix Platform 9.0, 9.1, 9.2, or 9.5 CPEs.
Ensure HSTS is enabled and correctly delivered on all relevant HTTPS endpoints serving the product.
Confirm TLS is enforced end-to-end and that administrative access is not exposed through interception-prone networks without additional protections.
Use the NVD record and vendor advisory to validate whether a product update, configuration change, or compensating control is available in your environment.

Evidence notes

CVE publishedAt: 2017-02-01T20:59:00.207Z; modifiedAt: 2026-05-13T00:24:29.033Z. Source corpus describes the flaw as a missing HTTP Strict-Transport-Security header that could allow sensitive-information disclosure via man-in-the-middle techniques. NVD classifies it as CWE-200 and provides CVSS v3.0 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. NVD CPE criteria list IBM BigFix Platform versions 9.0, 9.1, 9.2, and 9.5. References supplied include the IBM PSIRT advisory and a SecurityFocus BID entry.

Official resources

CVE-2016-0297 CVE record
CVE.org
CVE-2016-0297 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

Publicly disclosed in the CVE record on 2017-02-01 and later modified in NVD on 2026-05-13. The supplied corpus does not include exploit or weaponization details, only the vulnerability description and advisory references.