Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control.
AnalysisAI
IBM Concert versions 1.0.0 through 2.2.0 contain a missing function-level access control vulnerability that allows local users to obtain sensitive information without authentication. An attacker with local system access can bypass authorization checks to read confidential data stored within the application. While the CVSS score of 5.1 indicates moderate severity, the lack of authentication requirements and local attack vector present a meaningful risk in multi-tenant or shared system environments.
Technical ContextAI
This vulnerability stems from inadequate implementation of function-level access control, classified under CWE-522 (Insufficiently Protected Credentials). IBM Concert, an enterprise collaboration and business process platform, fails to properly validate user permissions before exposing sensitive functionality. The affected versions (1.0.0 through 2.2.0) contain logic flaws where critical functions can be invoked without proper authentication or authorization checks. The vulnerability affects the core Concert application (identified via CPE cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*), meaning all installations within the affected version range are potentially exposed. This is a classic authorization bypass allowing horizontal privilege escalation or lateral movement from a compromised local account.
RemediationAI
Immediately upgrade IBM Concert to a patched version released after the vulnerability disclosure (consult the IBM support page at https://www.ibm.com/support/pages/node/7267105 for the specific target version and upgrade procedures). Before patching is feasible, apply compensating controls: restrict local system access through OS-level user account management and group policies, disable unnecessary local accounts, and implement filesystem-level access controls to prevent unauthorized process execution. Monitor Concert application logs for suspicious function invocations or unauthorized data access attempts. If Concert processes sensitive credentials, rotate all credentials post-remediation. Schedule patching during a maintenance window, as Concert is likely business-critical; test patches in a staging environment first to ensure compatibility with existing deployments.
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209029
GHSA-p29m-v6j2-fcqm