CVE-2016-5949 IBM CVE debrief

Who should care

IBM Kenexa LCMS Premier administrators, cloud application owners, identity/access management teams, and security teams responsible for reviewing authenticated data access and vendor patch status on affected versions 9.1-10.1.

Technical summary

NVD maps the vulnerability to IBM Kenexa LCMS Premier 9.1, 9.2, 9.3, 9.4, 9.5, 10.0, and 10.1. The recorded behavior is that an authenticated user can use a specially crafted HTTP request to obtain sensitive user data. The NVD entry assigns CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N and lists CWE-254 in the source metadata.

Defensive priority

Medium. The issue requires authentication and is limited to confidentiality impact, but it affects a network-facing application and may expose sensitive user data.

Recommended defensive actions

• Review IBM PSIRT guidance and apply the vendor patch or mitigation referenced in the IBM advisory for CVE-2016-5949.
• Confirm whether any IBM Kenexa LCMS Premier deployments are running affected versions 9.1 through 10.1.
• Restrict authenticated access to the application to only trusted users and roles while remediation is pending.
• Monitor application and access logs for unusual authenticated HTTP requests and unexpected sensitive-data access patterns.
• Reassess data exposure risk for any user records reachable through the affected application paths.

Evidence notes

This debrief is based on the supplied NVD CVE record, which states that IBM Kenexa LCMS Premier on Cloud could allow an authenticated user to obtain sensitive user data with a specially crafted HTTP request. Version coverage comes from the NVD CPE criteria in the source item, and mitigation context is supported by the IBM PSIRT advisory reference. CVSS and CWE details are taken from the same NVD source metadata.

Official resources