CVE-2016-3034 IBM CVE debrief

Who should care

IBM Security AppScan Source administrators, security teams handling scan results or stored secrets, and endpoint or workstation owners where the product is installed.

Technical summary

NVD maps the weakness to CWE-326 (Inadequate Encryption Strength). The core problem is protection of highly sensitive information with an unsalted one-way hash, which weakens resistance to offline recovery techniques if the protected material is obtained locally. The CVSS 3.0 vector (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) indicates a local attacker with high privileges is needed, and the primary impact is loss of confidentiality.

Defensive priority

Medium. Prioritize if the affected AppScan Source versions are installed on shared or privileged systems, or if the product stores highly sensitive material.

Recommended defensive actions

• Confirm whether IBM Security AppScan Source 9.0.1, 9.0.2, or 9.0.3 is installed anywhere in the environment.
• Apply the IBM vendor guidance referenced in the advisory and move to a remediated release if available.
• Restrict local administrative access on systems running the product, since the published CVSS vector requires local access and high privileges.
• Review what sensitive information the product stores or protects and reduce stored secret exposure where possible.
• Treat this issue as a confidentiality problem and validate that vulnerable instances are removed from inventory after remediation.

Evidence notes

All facts here are drawn from the supplied NVD record and linked IBM/third-party references. The supplied corpus identifies the CVE as published on 2017-02-01 and modified on 2026-05-13. The vulnerable CPEs listed in NVD are IBM Security AppScan Source 9.0.1, 9.0.2, and 9.0.3. The record also cites CWE-326 and the CVSS 3.0 vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N.

Official resources