CVE-2024-49354

CVE-2024-49354 is a sensitive information disclosure vulnerability affecting IBM Concert versions 1.0.0, 1.0.1, and 1.0.2. The flaw allows unauthorized access to sensitive data through specially crafted API calls and is classified under CWE-213. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with network accessibility, low attack complexity, no privileges or user interaction required, unchanged scope, low confidentiality impact, and no integrity or availability impact.

Remote attackers can exploit this vulnerability over the network without authentication by sending maliciously crafted API requests to affected IBM Concert instances. Successful exploitation results in the disclosure of sensitive information, potentially aiding further attacks, though the impact is limited to low confidentiality loss.

IBM has published a security advisory with details on the vulnerability at https://www.ibm.com/support/pages/node/7174120. Security practitioners should consult this bulletin for guidance on available patches and mitigation steps.