CVE-2016-5938 IBM CVE debrief

Who should care

IBM Kenexa LMS on Cloud administrators, especially in shared or multi-user environments where local files or stored pages may be accessible to other accounts. Security teams responsible for routine patching and access control reviews should prioritize validation of exposure.

Technical summary

NVD identifies this issue as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with CVSS v3.0 vector CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerable CPEs cover IBM Kenexa LMS versions 4.1, 4.2, 4.2.2, 4.2.3, 4.2.4, 5.0, 5.1, and 5.2. The disclosed impact is confidentiality-only and requires local access with low privileges.

Defensive priority

Low

Recommended defensive actions

• Review IBM's vendor advisory and apply the referenced patch or mitigation for Kenexa LMS on Cloud.
• Restrict local and account-level access on shared systems to reduce the chance that another user can read stored pages.
• Audit where application-generated web pages or cached content are stored and ensure permissions prevent cross-user access.
• Validate whether any affected IBM Kenexa LMS versions from 4.1 through 5.2 remain in use and schedule remediation during routine maintenance.

Evidence notes

Source corpus supports an information-disclosure finding: NVD lists CWE-200 and CVSS v3.0 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The affected product versions in NVD are IBM Kenexa LMS 4.1 through 5.2. NVD references an IBM PSIRT advisory and a SecurityFocus entry; the IBM advisory is the primary vendor-linked mitigation source in the supplied corpus.

Official resources