PatchSiren cyber security CVE debrief
CVE-2016-6068 IBM CVE debrief
CVE-2016-6068 is an IBM UrbanCode Deploy information disclosure issue. According to NVD, an authenticated user with access to the product’s REST endpoints could access API and CLI getResource secured role properties. IBM and NVD published the record on 2017-02-01; the NVD entry was later modified on 2026-05-13, but that does not change the original disclosure timing.
- Vendor
- IBM
- Product
- CVE-2016-6068
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-01
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-01
- Advisory updated
- 2026-05-13
Who should care
IBM UrbanCode Deploy administrators, DevOps/platform teams, and security teams that manage authenticated access to UrbanCode Deploy REST endpoints. Organizations running exposed or broadly accessible deployment automation platforms should treat this as a priority information-disclosure review.
Technical summary
NVD maps the issue to CWE-200 and rates it CVSS v3.0 7.5 HIGH with vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The published description states that an authenticated user with access to REST endpoints could access secured role properties associated with API and CLI getResource roles. The evidence corpus also lists IBM UrbanCode Deploy releases from 6.0 through 6.2.2.1 as vulnerable.
Defensive priority
High for any IBM UrbanCode Deploy deployment that exposes REST access to more users than intended. Because the weakness is confidentiality-focused and requires authenticated access, prioritize it especially where role or privilege data could aid further abuse.
Recommended defensive actions
- Follow IBM’s PSIRT advisory for the vendor-recommended fix or patch path referenced in the official advisory.
- Restrict UrbanCode Deploy REST endpoint access to only trusted, necessary authenticated users.
- Review authorization controls around API and CLI getResource role properties and verify they are not overexposed.
- Inventory deployed IBM UrbanCode Deploy versions against the affected CPE list in NVD, especially releases from 6.0 through 6.2.2.1.
- Monitor for unusual access to REST endpoints and investigate any authenticated requests that attempt to enumerate secured role properties.
- If immediate patching is not possible, reduce exposure of the administration plane and minimize the number of users with REST access.
Evidence notes
The corpus describes the vulnerability as an authenticated-user information disclosure in IBM UrbanCode Deploy. NVD lists CVSS v3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N and CWE-200, supporting a confidentiality-only impact. Official references include the IBM support advisory and a SecurityFocus technical entry. The CVE record was published on 2017-02-01, which is the appropriate public-disclosure date to cite here.
Official resources
-
CVE-2016-6068 CVE record
CVE.org
-
CVE-2016-6068 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Source reference
[email protected] - Technical Description, VDB Entry
Publicly disclosed in the NVD/CVE record on 2017-02-01, with IBM vendor advisory and third-party reference material linked from the record. The later NVD modification date in 2026 reflects record maintenance, not the original vulnerability-