CVE-2016-6030 IBM CVE debrief

Who should care

IBM Jazz Foundation and Rational Collaborative Lifecycle Management administrators, application security teams, and anyone operating the affected Web UI for authenticated users.

Technical summary

NVD classifies the issue as CWE-79 (cross-site scripting) with CVSS 3.0 vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The supplied description states that users can embed arbitrary JavaScript code in the Web UI, which can alter application behavior and may expose credentials or other sensitive data within a trusted session. The vulnerable product coverage in the NVD CPE data includes IBM Rational Collaborative Lifecycle Management versions 4.0.0 through 6.0.2.

Defensive priority

Medium. Remediate promptly if the application is exposed to authenticated users, stores sensitive data, or relies on high-trust browser sessions.

Recommended defensive actions

• Apply IBM’s vendor remediation guidance referenced by NVD for this issue.
• Update or remediate all affected IBM Rational Collaborative Lifecycle Management versions listed in the NVD CPE set (4.0.0 through 6.0.2).
• Review web UI input handling and output encoding for any user-controlled fields that can be rendered in browser contexts.
• Limit who can create or edit content that is later displayed in the Web UI.
• Consider session and access-control hardening for high-trust users, especially where sensitive information is available in the interface.
• Validate the environment against IBM’s advisory and confirm the fix scope before returning the service to normal use.

Evidence notes

The supplied NVD record lists CWE-79 and CVSS 3.0 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Its CPE criteria mark IBM Rational Collaborative Lifecycle Management 4.0.0 through 6.0.2 as vulnerable. The NVD reference set cites IBM’s advisory (swg21996097) and a SecurityFocus BID entry for technical description context.

Official resources