CVE-2016-6122 IBM CVE debrief

Who should care

Administrators and security teams responsible for IBM Kenexa LMS on Cloud instances, especially deployments running versions 13.1 and 13.2 through 13.2.4. Identity and help-desk teams should also care because disclosed security-question answers can undermine account recovery controls.

Technical summary

The NVD record describes the weakness as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability affects IBM Kenexa LMS on Cloud 13.1, 13.2, 13.2.2, 13.2.3, and 13.2.4. The CVSS v3.0 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network reachability, low attack complexity, and a requirement for low privileges, with confidentiality impact limited to partial exposure.

Defensive priority

Medium. The issue does not indicate integrity or availability impact, but it can expose security-question answers and weaken account recovery protections. Prioritize it as a sensitive-information disclosure in any environment that uses this product and version range.

Recommended defensive actions

• Check whether any IBM Kenexa LMS on Cloud deployments are running affected versions 13.1 or 13.2 through 13.2.4.
• Review the IBM vendor advisory and apply any vendor-recommended remediation or upgrade path.
• Treat any exposed security-question answers as compromised recovery data and reset or rotate account recovery settings where appropriate.
• Reduce reliance on security questions for account recovery if your environment allows stronger authentication or recovery controls.
• Monitor administrative and user account activity for signs of abuse involving recovery or identity workflows.

Evidence notes

The vulnerability summary, affected versions, CVSS score/vector, and CWE classification come from the supplied NVD record. The IBM vendor advisory and SecurityFocus entries are listed in the source references, but no additional claims are made beyond the metadata provided here.

Official resources