CVE-2016-3035 IBM CVE debrief

Who should care

Administrators and security teams running IBM AppScan Source 9.0.1, 9.0.2, or 9.0.3 should review exposure, especially if testlinks are accessible to users who should not see sensitive project or test data.

Technical summary

NVD maps CVE-2016-3035 to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The issue is described as sensitive information being revealed through browsing of testlinks on the server, indicating an information disclosure condition rather than code execution or integrity impact. The official record lists IBM Security AppScan Source 9.0.1, 9.0.2, and 9.0.3 as vulnerable.

Defensive priority

Medium. The impact is limited to confidentiality, but the attack surface is network-reachable and requires no privileges or user interaction per the published CVSS vector.

Recommended defensive actions

• Identify whether IBM Security AppScan Source 9.0.1, 9.0.2, or 9.0.3 is deployed.
• Review access to server-hosted testlinks and limit visibility to authorized users only.
• Apply the IBM vendor guidance and patch referenced in the advisory.
• Check whether any sensitive data may have been exposed through testlink browsing and rotate or remove exposed data as needed.
• Monitor IBM security advisories and update internal records for the affected product versions.

Evidence notes

This debrief is based on the official NVD record and the IBM PSIRT advisory reference included in NVD. The NVD entry identifies the vulnerability as CWE-200 and provides the affected CPEs for IBM Security AppScan Source 9.0.1, 9.0.2, and 9.0.3. References supplied in the record include the IBM advisory (swg21987325) and a SecurityFocus entry.

Official resources