VYPR
← All advisories
Low severity3.7NVD Advisory· Published Nov 24, 2016· Updated May 6, 2026

CVE-2016-0378

CVE-2016-0378

Description

IBM WebSphere Liberty before 16.0.0.3 leaks sensitive information via unhandled exceptions when no default error page is configured.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM WebSphere Liberty before 16.0.0.3 leaks sensitive information via unhandled exceptions when no default error page is configured.

Vulnerability

IBM WebSphere Application Server Liberty versions prior to 16.0.0.3 are affected by an information disclosure vulnerability. When the installation lacks a default error page, an exception triggered by a remote request is not properly handled, causing the server to disclose sensitive information in the error response. [1]

Exploitation

An attacker can send a crafted request that triggers an exception on the server. No authentication is required, but the attack complexity is high (CVSS:3.0/AV:N/AC:H). The attacker must know or guess a request that causes an exception, and the server must not have a custom error page defined. The exception details are then returned in the HTTP response. [1]

Impact

Successful exploitation leads to information disclosure (confidentiality impact low). The attacker may obtain sensitive data such as stack traces, internal paths, or configuration details that could aid further attacks. No impact on integrity or availability. [1]

Mitigation

IBM released Liberty Fix Pack 16.0.0.3 (or later) which includes the fix for APAR PI54459. Alternatively, apply Interim Fix PI54459. As a workaround, administrators can create a custom error page to prevent the default exception handling. [1]

References
  1. Security Bulletin: Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378)

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • IBM/Websphere Application Server2 versions
    cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:*+ 1 more
    • cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:*range: <=16.0.0.2
    • (no CPE)range: <16.0.0.3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.