CVE-2016-6028 IBM CVE debrief

Who should care

IBM Jazz technology-based product administrators, especially teams running IBM Rational Collaborative Lifecycle Management 4.0.0 through 6.0.2, and security teams responsible for access control reviews and patching.

Technical summary

NVD lists CVE-2016-6028 with CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network reachability, low required privileges, and limited confidentiality impact. The affected scope in the NVD record includes IBM Rational Collaborative Lifecycle Management versions 4.0.0 through 6.0.2. The vulnerability is categorized under CWE-264 in the supplied record and is described as allowing unauthorized viewing of work item titles.

Defensive priority

Medium. Prioritize if the product is exposed to multiple users or contains sensitive project tracking data, but this is not an immediate availability risk.

Recommended defensive actions

• Review the IBM support advisory linked in the record and apply IBM’s vendor-recommended patch or remediation for the affected release train.
• Inventory IBM Jazz-based deployments and confirm whether any instance matches the vulnerable Rational Collaborative Lifecycle Management versions listed by NVD.
• Revalidate access controls around work items and project metadata to ensure titles are only visible to authorized users.
• Monitor audit logs for unexpected access patterns to work items and related project records.
• If immediate patching is not possible, reduce exposure by restricting user permissions and limiting access to affected application areas.

Evidence notes

Timing and scope come from the supplied NVD record: published 2017-02-01 and modified 2026-05-13. The record’s references include IBM PSIRT’s vendor advisory/patch page and a SecurityFocus BID entry. NVD’s CVSS vector and listed vulnerable CPEs support the conclusion that the issue is an authenticated information disclosure affecting IBM Rational Collaborative Lifecycle Management 4.0.0 through 6.0.2.

Official resources