PatchSiren cyber security CVE debrief
CVE-2016-5958 IBM CVE debrief
CVE-2016-5958 is a high-severity information disclosure vulnerability in IBM Security Privileged Identity Manager. In SSL mode, the product could fail to mark the session cookie as Secure, which could allow a remote attacker to intercept the cookie during HTTP session traffic and obtain sensitive information. NVD lists affected versions as IBM Security Privileged Identity Manager 2.0.2 and 2.1, with a CVSS v3.0 score of 7.5 (High).
- Vendor
- IBM
- Product
- CVE-2016-5958
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-01
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-01
- Advisory updated
- 2026-05-13
Who should care
Organizations running IBM Security Privileged Identity Manager 2.0.2 or 2.1, especially deployments using SSL mode and any teams responsible for identity, access management, and session handling.
Technical summary
NVD describes the weakness as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The core issue is that the Secure attribute was not set on the session cookie in SSL mode. Without that attribute, the cookie may be transmitted in circumstances where it can be intercepted, enabling disclosure of session-related sensitive information. The NVD CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which aligns with a remote, unauthenticated confidentiality impact and no integrity or availability impact.
Defensive priority
High. The issue is remotely reachable, requires no privileges or user interaction, and affects confidentiality directly. Prioritize remediation for any exposed IBM Security Privileged Identity Manager instance still on the affected versions.
Recommended defensive actions
- Upgrade or apply the IBM vendor remediation referenced in the IBM PSIRT advisory for this CVE.
- Verify whether IBM Security Privileged Identity Manager 2.0.2 or 2.1 is deployed anywhere in production, test, or DR environments.
- Review SSL/TLS configuration and confirm session cookies are consistently marked Secure where appropriate.
- Audit authentication and session-management paths for exposure of cookies over channels that could be intercepted.
- If patching is delayed, reduce exposure by restricting network access to the management interface and monitoring for anomalous session activity.
Evidence notes
This debrief is based on the official NVD record and the IBM PSIRT/vendor reference cited by NVD. NVD states the vulnerability affects IBM Security Privileged Identity Manager 2.0.2 and 2.1 and classifies it as CWE-200 with CVSS v3.0 7.5 High. The CVE was published on 2017-02-01 and later modified on 2026-05-13 in NVD metadata; those dates are used only as disclosure/timeline context.
Official resources
-
CVE-2016-5958 CVE record
CVE.org
-
CVE-2016-5958 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Publicly disclosed in NVD on 2017-02-01. The supplied corpus indicates IBM PSIRT published a vendor advisory and patch reference associated with the issue.