CVE-2016-6060 IBM CVE debrief

Who should care

IBM Rational DOORS Next Generation and Rational Requirements Composer administrators, especially organizations that use JazzGuest or other low-privilege guest access and treat project names as sensitive.

Technical summary

NVD maps this issue to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and gives it CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (4.3). The source corpus indicates vulnerable IBM Rational DOORS Next Generation versions 5.0, 5.0.0, 5.0.1, 5.0.2, 6.0.0, 6.0.1, and 6.0.2, and IBM Rational Requirements Composer 4.0.1 through 4.0.7; the CVE description also references DOORS Next Generation 4.0, 5.0, and 6.0. The exposed data is limited to project names, but that may still be operationally sensitive.

Defensive priority

Medium for environments where project names reveal confidential programs, customer work, or internal structure; otherwise lower operational urgency because the impact is limited to confidentiality.

Recommended defensive actions

• Review IBM PSIRT advisory IBM reference #1995547 and apply the vendor patch or mitigation guidance.
• Confirm which IBM Rational DOORS Next Generation or Rational Requirements Composer versions are deployed and compare them to the vulnerable versions listed by NVD.
• Restrict or review JazzGuest permissions and any guest-access paths that expose project metadata.
• Audit project visibility settings and verify that unauthorized users cannot enumerate or view project names.
• Re-test after remediation to confirm guest users no longer have access to project listings.

Evidence notes

The CVE was published on 2017-02-15 in the provided source data, and the NVD record was modified again on 2026-05-13. The official references supplied are the CVE record, the NVD detail page, and IBM PSIRT advisory/reference IBM #1995547. No exploit code, weaponized reproduction, or KEV/ransomware indication is present in the source corpus.

Official resources