PatchSiren cyber security CVE debrief
CVE-2016-3029 IBM CVE debrief
CVE-2016-3029 is a cross-site request forgery (CSRF) issue in IBM Security Access Manager for Web and related IBM Security Access Manager builds listed by NVD. If a trusted user is induced to interact with attacker-controlled content, malicious requests can be sent through the user’s authenticated session and perform unauthorized actions in the application. NVD rates the issue CVSS 8.8 with network access, no privileges required, and user interaction required, with high confidentiality, integrity, and availability impact.
- Vendor
- IBM
- Product
- CVE-2016-3029
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-01
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-01
- Advisory updated
- 2026-05-13
Who should care
IBM Security Access Manager for Web and Mobile administrators, IAM/SSO platform owners, web application security teams, and incident responders responsible for the affected IBM firmware builds enumerated by NVD.
Technical summary
NVD maps CVE-2016-3029 to CWE-352 (CSRF) and assigns CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The supplied NVD CPE set marks multiple IBM Security Access Manager for Web and Mobile firmware versions as vulnerable, including Security Access Manager 9.0.0, 9.0.0.1, 9.0.1.0, and Access Manager for Mobile/Web 8.0 builds such as 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.5, 8.0.1.0, 8.0.1.2, 8.0.1.3, and 8.0.1.4. The appliance CPEs in the supplied record are marked non-vulnerable. The IBM support advisory referenced by NVD is the primary remediation pointer in the corpus.
Defensive priority
High — prioritize affected IBM Security Access Manager deployments, especially internet-facing or frequently used administrative workflows.
Recommended defensive actions
- Use the IBM support advisory referenced by NVD to confirm the fixed builds and apply the vendor patch or upgrade path.
- Inventory IBM Security Access Manager for Web and Mobile instances and compare them against the vulnerable CPE versions listed in NVD.
- Reduce CSRF exposure in sensitive workflows by verifying anti-CSRF controls, session protections, and origin validation are enabled where applicable.
- Review administrative and high-impact actions that can be triggered through browser sessions, and ensure only necessary users can access them.
- Reassess any appliance-versus-firmware assumptions: the supplied NVD record marks the appliance CPEs as non-vulnerable, while firmware CPEs are vulnerable.
Evidence notes
The supplied corpus includes the NVD CVE record, which states the vulnerability is CSRF (CWE-352) with CVSS 8.8 and lists affected IBM Security Access Manager for Web/Mobile firmware CPEs. It also references an IBM PSIRT advisory and a SecurityFocus entry. Timing context: the CVE was published on 2017-02-01 and the NVD record was modified on 2026-05-13; the modified date is not the issue date.
Official resources
-
CVE-2016-3029 CVE record
CVE.org
-
CVE-2016-3029 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Public vulnerability disclosure only. This debrief uses the supplied official vulnerability data and vendor reference pointers; no exploit code, weaponization details, or unsupported incident claims are included. CVE publication date used: