CVE-2016-9748 IBM CVE debrief

Who should care

Administrators, application owners, and security teams responsible for IBM Rational DOORS Next Generation 5.x/6.x and IBM Rational Requirements Composer 4.0.7 deployments.

Technical summary

NVD classifies the weakness as CWE-200 and rates it CVSS v3.0 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). The affected CPEs listed by NVD include IBM Rational DOORS Next Generation 5.0, 5.0.0, 5.0.1, 5.0.2, 6.0.0, 6.0.1, and 6.0.2, plus IBM Rational Requirements Composer 4.0.7. The core issue is disclosure of sensitive information through error response messages, which can increase attacker knowledge for subsequent activity.

Defensive priority

Medium

Recommended defensive actions

• Inventory IBM Rational DOORS Next Generation and Rational Requirements Composer deployments to confirm whether any listed affected versions are in use.
• Review and apply the IBM PSIRT remediation referenced in the vendor advisory for affected versions.
• Reduce the amount of diagnostic detail returned in production error responses so sensitive information is not exposed to clients.
• Validate patched or hardened systems by checking representative error paths to confirm they no longer reveal sensitive internal details.

Evidence notes

This debrief is based on the NVD CVE record and the IBM PSIRT reference cited there. NVD lists the weakness as CWE-200 and provides CVSS v3.0 4.3 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. NVD CPE data identifies the affected IBM Rational DOORS Next Generation versions 5.0, 5.0.0, 5.0.1, 5.0.2, 6.0.0, 6.0.1, 6.0.2, and IBM Rational Requirements Composer 4.0.7. The publishedAt date is 2017-02-08; modifiedAt 2026-05-13 is a later record update.

Official resources