Description
IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack.
Published: 2026-04-07
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local File Overwrite via Predictable Temporary Files
Action: Patch
AI Analysis

Impact

IBM Concert versions 1.0.0 to 2.2.0 generate temporary files whose names are predictable. A local user can create a symbolic link pointing to an arbitrary file and trigger the application to write to the temporary location, resulting in the targeted file being overwritten. This allows the local attacker to replace or modify executable or configuration files, potentially compromising the integrity of the application or the host system. The weakness is a classic insecure temporary storage issue, corresponding to CWE-340.

Affected Systems

The vulnerability applies to IBM Concert Software from version 1.0.0 through 2.2.0, inclusive. Any deployment of these versions, regardless of operating system, is affected.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate risk, while an EPSS score of less than 1% suggests a very low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local user access; there is no network-based attack vector mentioned. Based on the description, the likely attack scenario involves a local malicious user or compromised process creating a symbolic link before the application runs.

Generated by OpenCVE AI on April 7, 2026 at 21:27 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1 Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment. IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1 Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.

Vendor Workaround

None None

OpenCVE Recommended Actions

  • Upgrade IBM Concert Software to version 2.3.1 following IBM’s installation instructions for your deployment type

Generated by OpenCVE AI on April 7, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack.
Title Multiple Vulnerabilities in IBM Concert Software
First Time appeared Ibm
Ibm concert
Weaknesses CWE-340
CPEs cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:concert:2.2.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm concert
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Ibm Concert
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-04-07T16:24:57.410Z

Reserved: 2025-11-11T22:42:06.302Z

Link: CVE-2025-13044

cve-icon Vulnrichment

Updated: 2026-04-07T16:24:50.350Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T02:16:15.343

Modified: 2026-04-07T18:18:54.453

Link: CVE-2025-13044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:50:14Z

Weaknesses