CVE-2016-8981 IBM CVE debrief

Who should care

IBM BigFix Inventory and License Metric Tool administrators, endpoint management teams, and security owners running these products on shared or multi-user systems where other local accounts may be present.

Technical summary

The supplied NVD record describes a local read-access flaw: web pages stored by the application can be accessed by another local user on the system. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates low-privilege local access is sufficient, no user interaction is needed, and the impact is confined to confidentiality. NVD lists IBM BigFix Inventory 9.2 and IBM License Metric Tool 9.2.0 as vulnerable CPEs.

Defensive priority

Medium priority: address promptly on any shared or multi-user host, especially if the application can store sensitive web content locally.

Recommended defensive actions

• Check whether IBM BigFix Inventory 9.2 or IBM License Metric Tool 9.2.0 is deployed in your environment.
• Review IBM's vendor advisory and apply the vendor-recommended update or workaround.
• Restrict local shell and account access on systems running the affected software.
• Audit permissions on application storage locations to prevent unintended reads by other local users.
• Remove or minimize sensitive content that is stored locally by the application whenever operationally possible.

Evidence notes

The supplied NVD metadata states: 'IBM BigFix Inventory v9 allows web pages to be stored locally which can be read by another user on the system.' NVD assigns CVSS v3.0 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, CWE-200, and marks IBM BigFix Inventory 9.2 and IBM License Metric Tool 9.2.0 as vulnerable CPEs. The CVE was published on 2017-02-01 and is marked Modified in the supplied record on 2026-05-13. IBM and SecurityFocus references are listed in the record, but their page contents were not provided in the corpus.

Official resources