{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-36440", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-04-15T21:17:04.946Z", "datePublished": "2026-03-25T20:34:26.566Z", "dateUpdated": "2026-03-25T20:34:26.566Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-03-25T20:34:26.566Z"}, "title": "Multiple Vulnerabilities in IBM Concert Software", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Concert", "versions": [{"status": "affected", "version": "1.0.0", "lessThanOrEqual": "2.2.0", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:concert:2.2.0:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7267105", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1\n\nDownload IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR https://myibm.ibm.com/products-services/containerlibrary ) and follow\u00a0 installation instructions https://www.ibm.com/docs/en/concert \u00a0depending on the type of deployment.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p><br>IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1</p><p>Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry (<a href=\"https://myibm.ibm.com/products-services/containerlibrary\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">ICR</a>) and follow&nbsp;<a href=\"https://www.ibm.com/docs/en/concert?topic=installing-preparing-run-installs-from-private-container-registry\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">installation instructions</a>&nbsp;depending on the type of deployment.</p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control."}], "id": "CVE-2025-36440", "lastModified": "2026-03-25T21:16:25.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 2.5, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2026-03-25T21:16:25.463", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7267105"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T21:23:22.271598+00:00", "value": {"mitigation_remediation": ["Download and install IBM Concert Software 2.3.1 from the IBM Entitled Registry and follow the official installation instructions.", "Verify that functional access control is enabled in the new version to prevent re\u2011exposure.", "If upgrading is not immediately possible, restrict local user permissions so they cannot access the sensitive data paths exposed by the flaw.", "Monitor system logs for anomalous access patterns related to sensitive information."], "summary": {"action": "Patch Now", "impact": "Sensitive Information Disclosure"}, "threat_synthesis": {"affected_systems": "IBM Concert Software is affected, specifically versions 1.0.0 to 2.2.0. The fix is available in version 2.3.1, which restores appropriate access controls.", "description_and_impact": "A local user can obtain sensitive information because IBM Concert Software versions 1.0.0 through 2.2.0 lack functional level access control. The missing controls allow the user to read data that should be restricted, creating a confidentiality breach. No higher\u2011level privilege escalation or remote execution is described.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity. Exploit probability data is unavailable and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting limited public exploitation. The attack vector is local; a legitimate or compromised local account can exploit the flaw. Overall risk is moderate but should be mitigated promptly."}}}}, "created": "2026-03-25T21:46:05.999740+00:00", "updated": "2026-03-25T21:46:05.999774+00:00", "vendors": []}