PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-6097 IBM CVE debrief

CVE-2016-6097 is a local information-disclosure issue in IBM Tivoli Key Lifecycle Manager and related IBM Security Key Lifecycle Manager releases. According to NVD, a local attacker on the same system could read web pages stored locally by the application, exposing information without requiring privileges or user interaction. The issue is rated Medium by NVD and maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

Vendor
IBM
Product
CVE-2016-6097
CVSS
MEDIUM 4
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-07
Original CVE updated
2026-05-13
Advisory published
2017-02-07
Advisory updated
2026-05-13

Who should care

Administrators and operators of IBM Tivoli Key Lifecycle Manager / IBM Security Key Lifecycle Manager on shared or multi-user systems should care most, especially where local accounts are not fully trusted. Security teams should also review any environment where these products store web content or other sensitive artifacts on hosts accessible by multiple users.

Technical summary

NVD describes the flaw as allowing web pages to be stored locally and then read by another user on the system. The vulnerable scope in the NVD data includes IBM Tivoli Key Lifecycle Manager 2.0.1.x builds and IBM Security Key Lifecycle Manager 2.5.0.x and 2.6.0.x builds. The published CVSS vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating a local, low-complexity confidentiality issue with no integrity or availability impact recorded.

Defensive priority

Medium for multi-user servers; lower for isolated single-user deployments. Prioritize if the affected host is shared, if local shell access is broadly available, or if the application handles sensitive key-management data. The risk is narrower than a remote-code-execution flaw, but key-management products often process sensitive material, so even limited disclosure can matter.

Recommended defensive actions

  • Check whether any IBM Tivoli Key Lifecycle Manager or IBM Security Key Lifecycle Manager deployments match the affected NVD builds listed for this CVE.
  • Apply the IBM vendor guidance referenced by NVD and the IBM support document linked in the advisory references.
  • Review host-level permissions and local storage locations used by the application to ensure sensitive web content is not readable by unintended local users.
  • Restrict local user access on systems running the affected product, especially on shared administrative hosts.
  • Confirm that affected systems are moved to a fixed version or otherwise remediated according to IBM's advisory before assuming the issue is closed.

Evidence notes

All claims above are limited to the supplied NVD-derived corpus and linked official references. The source data states the weakness category as CWE-200 and the CVSS vector as AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The NVD CPE criteria list affected IBM Tivoli Key Lifecycle Manager 2.0.1.x entries and IBM Security Key Lifecycle Manager 2.5.0.x and 2.6.0.x entries. The corpus also includes an IBM support advisory reference and a SecurityFocus entry, but the advisory text itself was not provided here.

Official resources

Published by NVD and the CVE record on 2017-02-07. The supplied corpus shows a later NVD modification on 2026-05-13; that modified date is not the vulnerability date and should be treated only as record maintenance timing.