CVE-2016-8929 IBM CVE debrief

Who should care

Administrators, security teams, and application owners running IBM Kenexa LMS on Cloud, especially the affected versions listed in NVD (4.1, 4.2, 4.2.2, 4.2.3, 4.2.4, 5.0, 5.1, and 5.2).

Technical summary

NVD classifies the flaw as CWE-89 SQL injection with CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L, indicating network reachability, low attack complexity, and required low privileges. The record states that specially crafted SQL statements could affect database confidentiality and integrity. Vulnerable CPEs in the source include IBM Kenexa LMS versions 4.1 through 5.2.

Defensive priority

Medium priority. The CVSS score is 5.4, and the issue requires low privileges, but it can still affect database data integrity and availability. Remediation should be scheduled promptly for any exposed or actively used deployment.

Recommended defensive actions

• Confirm whether any IBM Kenexa LMS instances match the affected versions listed by NVD.
• Apply the IBM remediation referenced in the vendor advisory linked from the NVD record.
• Review application input handling and database access controls for SQL injection risk reduction.
• Monitor application and database logs for unusual queries or unexpected data modification activity.
• Restrict access to the application and limit user privileges where possible until remediation is complete.

Evidence notes

This debrief is based on the supplied NVD record published on 2017-02-01 and last modified on 2026-05-13, plus the linked IBM advisory and SecurityFocus entry referenced in the source metadata. The source specifies affected IBM Kenexa LMS versions, CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L, and CWE-89. No KEV entry was provided in the supplied corpus.

Official resources