Severity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM Concert 1.0.0 through 2.2.0 could allow a privileged user to perform unauthorized actions due to improper restriction of channel communication to intended endpoints.
AnalysisAI
IBM Concert versions 1.0.0 through 2.2.0 contain an improper channel communication restriction vulnerability that allows privileged users to perform unauthorized actions by bypassing intended endpoint controls. The vulnerability, classified as CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints), has a CVSS score of 5.1 with medium integrity impact and is not currently listed in CISA's Known Exploited Vulnerabilities catalog, though a vendor patch is available.
Technical ContextAI
This vulnerability stems from inadequate validation and enforcement of channel communication restrictions in IBM Concert (CPE: cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*), a collaboration and orchestration platform. CWE-923 describes scenarios where applications fail to properly restrict communication to only intended endpoints or channels, potentially allowing attackers with elevated privileges to interact with unintended system components or services. In the context of IBM Concert, this likely involves inter-service communication, API gateways, or message queue channels that should be isolated but are accessible to privileged users through insufficient access controls or authentication mechanisms at the channel level rather than the application layer.
RemediationAI
Upgrade IBM Concert to version 2.2.1 or later immediately using the patch made available by IBM at https://www.ibm.com/support/pages/node/7267105. For environments where immediate patching is not feasible, implement network segmentation to restrict local access to Concert infrastructure, enforce strict access control lists on inter-service communication channels, audit and revoke unnecessary privileged accounts, and monitor channel communication logs for unauthorized endpoint access attempts. Additionally, ensure that all Concert instances operate with minimal required privileges and apply principle of least privilege to service accounts and administrative users.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209027