CVE-2016-9697

Vulnerability

IBM Rhapsody Design Manager versions 4.0, 5.0, and 6.0 contain an unspecified vulnerability that could allow an attacker to perform a JSON Hijacking Attack [1]. This class of attack occurs when an attacker is able to intercept or otherwise access JSON data exchanged between the server and the browser, typically by exploiting the same-origin policy or by tricking the user into executing a malicious script that reads cross-origin JSON responses [1].

Exploitation

The attacker requires no authentication and can exploit the vulnerability over a network [1]. The exact mechanism is not disclosed in the available references, but typical JSON Hijacking attacks rely on the attacker being able to request a JSON resource from the victim's browser (e.g., via a crafted web page or a script) and access the data due to insufficient protections [1].

Impact

A successful JSON Hijacking attack may expose to an attacker information that is passed between the server and the browser [1]. The impact is limited to information disclosure of potentially sensitive data that is carried in JSON responses [1]. The CVSS v3 base score is 3.1 (Low) [1].

Mitigation

IBM has released a security bulletin referencing fix information for Rational Rhapsody Design Manager, but the specific fixed version is not explicitly stated in the available reference [1]. Customers are advised to consult the IBM support page for updates and apply the recommended fix from the vendor [1].