CVE-2016-2957 — Sensitive Information Exposure in IBM Connections

CWE-200 — Sensitive Information Exposure CWE-674 — Uncontrolled Recursion11 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 62.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Connections

Timeline

PublishedNov 30

Latest updateMay 17

Description

IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 allows remote authenticated users to obtain sensitive information by reading a stack trace in a response.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDibm/connections4.0.0.0, 4.5.0.0, 5.0.0.0+2

Patches

Patch: www-01.ibm.com ↗Patch: www-01.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-849g-mx4m-3h2v: IBM Connections 4↗2022-05-17

▶

CVEList

CVE-2016-2957: IBM Connections 4↗2016-11-30

▶

📋Vendor Advisories

Red Hat

libxml2: stack overflow before detecting invalid XML file (unfixed CVE-2016-3705 in JBCS)↗2016-05-03

▶

💬Community

Bugzilla

CVE-2016-9596 libxml2: stack exhaustion while parsing xml files in recovery mode (unfixed CVE-2016-3627 in JBCS)↗2016-12-22

▶

Bugzilla

CVE-2016-8612 JBCS mod_cluster: Protocol parsing logic error↗2016-10-21

▶

Bugzilla

CVE-2016-6808 mod_jk: Buffer overflow when concatenating virtual host name and URI↗2016-10-06

▶

Bugzilla

CVE-2016-1834 libxml2: Heap-buffer-overflow in xmlStrncat↗2016-05-23

▶

Bugzilla

CVE-2016-1762 libxml2: Heap-based buffer-overread in xmlNextChar↗2016-05-23

▶