PatchSiren cyber security CVE debrief

CVE-2016-8913 IBM CVE debrief

CVE-2016-8913 is a directory traversal vulnerability in IBM Kenexa LMS on Cloud. According to the CVE description, a remote attacker could send specially crafted URL requests containing dot-dot sequences (/../) to view arbitrary files on the system. NVD classifies the weakness as CWE-22 and rates it Medium with CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network reachability, low attack complexity, no user interaction, and high confidentiality impact.

Vendor: IBM
Product: CVE-2016-8913
CVSS: MEDIUM 6.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-01
Original CVE updated: 2026-05-13
Advisory published: 2017-02-01
Advisory updated: 2026-05-13

Who should care

Administrators and security teams responsible for IBM Kenexa LMS on Cloud deployments, especially versions 13.1 and 13.2 through 13.2.4. Teams that manage internet-facing application servers or any deployment where authenticated users can reach the affected web paths should treat this as a file-disclosure risk.

Technical summary

The issue is a path traversal flaw in IBM Kenexa LMS on Cloud that allows dot-dot path sequences in a URL to escape the intended directory and access arbitrary files. The published NVD metadata lists affected CPEs for IBM Kenexa LMS on Cloud 13.1, 13.2, 13.2.2, 13.2.3, and 13.2.4, and the CVSS vector shows that exploitation is remote, requires low privileges, and can expose sensitive information without affecting integrity or availability.

Defensive priority

Medium. The primary risk is confidentiality loss through unauthorized file read. Prioritize if the product is exposed to untrusted networks, contains sensitive configuration or credential material on disk, or if you cannot quickly confirm a fixed vendor version.

Recommended defensive actions

Review IBM’s vendor advisory and apply the vendor-recommended remediation for affected Kenexa LMS on Cloud versions.
Identify all IBM Kenexa LMS on Cloud 13.1 and 13.2 through 13.2.4 instances and verify whether any remain in production or staging.
Restrict network access to the application to trusted users and management networks until remediation is complete.
Monitor web access logs for suspicious requests containing ../ or other traversal patterns.
Check for exposure of sensitive files that could have been readable through the application and rotate credentials or secrets if needed.
Update internal asset inventory and vulnerability tracking so affected instances can be prioritized for patching or replacement.

Evidence notes

All core facts are taken from the supplied CVE record and NVD metadata: the vulnerability class is directory traversal/CWE-22, the affected IBM Kenexa LMS on Cloud versions are 13.1 and 13.2 through 13.2.4, and the CVSS 3.0 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The disclosure date used here is the CVE published timestamp, not the later NVD modified timestamp.

Official resources

CVE-2016-8913 CVE record
CVE.org
CVE-2016-8913 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

CVE published on 2017-02-01. The NVD record was later modified on 2026-05-13; that later metadata update is not the vulnerability discovery date.