PatchSiren cyber security CVE debrief

CVE-2016-2987 IBM CVE debrief

CVE-2016-2987 is an IBM information disclosure issue in CLM applications. According to NVD, an attacker with low privileges and network access could cause some administrative deployment parameters to be shown, creating a limited confidentiality exposure rather than an integrity or availability impact.

Vendor: IBM
Product: CVE-2016-2987
CVSS: MEDIUM 4.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-01
Original CVE updated: 2026-05-13
Advisory published: 2017-02-01
Advisory updated: 2026-05-13

Who should care

Administrators and security teams responsible for IBM Rational CLM deployments, especially Rational DOORS Next Generation, Rational Engineering Lifecycle Manager, Rational Quality Manager, Rational Team Concert, Rational Rhapsody Design Manager, and Rational Software Architect Design Manager versions listed by NVD.

Technical summary

NVD classifies the issue as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The supplied description says the vulnerability may allow some administrative deployment parameters to be shown to an attacker. Based on the published CPE criteria, the affected scope includes multiple IBM CLM-related product lines and versions across the 4.0, 5.0, and 6.0 families.

Defensive priority

Medium. The score is 4.3 and the impact is limited to information disclosure, but the exposed material may still assist an attacker or reveal operational details about administrative deployment settings.

Recommended defensive actions

Check whether any IBM Rational CLM products in your environment match the affected versions listed by NVD.
Review the IBM vendor advisory and apply the vendor-recommended fix or update for the affected product line.
Restrict access to administrative interfaces and verify that only authorized users can reach CLM management functions.
Audit deployments for unintended exposure of administrative parameters and confirm sensitive configuration data is not broadly visible.
Monitor for unusual access to CLM administrative pages or configuration endpoints while remediation is underway.

Evidence notes

The NVD record states: "An undisclosed vulnerability in CLM applications may result in some administrative deployment parameters being shown to an attacker." NVD also assigns CWE-200 and the CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The record includes IBM's vendor advisory and a SecurityFocus BID reference as supporting links. The published date supplied in the corpus is 2017-02-01T20:59:00.393Z.

Official resources

CVE-2016-2987 CVE record
CVE.org
CVE-2016-2987 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed in the supplied NVD record on 2017-02-01T20:59:00.393Z. The record was later modified on 2026-05-13T00:24:29.033Z. No KEV entry is provided in the supplied corpus.