CVE-2016-5939 IBM CVE debrief

Who should care

Security teams and administrators responsible for IBM Kenexa LMS on Cloud deployments, especially instances running versions 4.1, 4.2, 4.2.2, 4.2.3, 4.2.4, 5.0, 5.1, or 5.2.

Technical summary

NVD classifies this issue as CWE-89 SQL injection with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. A remote attacker who can reach the application may send specially crafted SQL input to influence backend queries and potentially view, add, modify, or delete database information.

Defensive priority

Medium. The vulnerability is network-reachable and can affect confidentiality, integrity, and availability, but the published CVSS score is 6.3 rather than critical. Prioritize remediation if the application is exposed or handles sensitive data.

Recommended defensive actions

• Follow IBM PSIRT guidance in the vendor advisory and apply the recommended patch or remediation for the affected Kenexa LMS on Cloud release.
• Inventory all IBM Kenexa LMS on Cloud installations and confirm whether any affected versions are in use.
• Reduce exposure by limiting network access to the application and placing it behind trusted access controls where possible.
• Review application input handling and database query construction for parameterization gaps consistent with SQL injection risk.
• Monitor database and application logs for unusual query patterns, unexpected data access, or signs of tampering.
• Use least-privilege database credentials for the application and rotate credentials if compromise is suspected.

Evidence notes

The NVD record for CVE-2016-5939 cites an IBM PSIRT vendor advisory and lists vulnerable CPEs for IBM Kenexa LMS on Cloud versions 4.1, 4.2, 4.2.2, 4.2.3, 4.2.4, 5.0, 5.1, and 5.2. The published CVSS v3.0 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. NVD published the CVE on 2017-02-01 and last modified the record on 2026-05-13.

Official resources