CVE-2024-52367

Medium

Published: 07 January 2025

Published

07 January 2025

Modified

18 July 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0010 28.1th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52367 is a medium-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Ibm Concert. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Information Discovery (T1082); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to System Information Discovery (T1082). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-14 Public Access Protections good match

prevent

Protects sensitive information associated with public-facing systems from unauthorized remote access, directly mitigating the network-accessible disclosure to unauthenticated actors.

SI-15 Information Output Filtering good match

prevent

Filters information prior to output to non-privileged users, preventing the unauthorized disclosure of sensitive system information.

SI-11 Error Handling good match

prevent

Ensures error messages reveal only non-sensitive information, addressing common vectors for sensitive system data exposure to attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1082 System Information Discovery Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

attack.mitre.org →

Why these techniques?

Direct info disclosure enables remote System Information Discovery without auth.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could disclose sensitive system information to an unauthorized actor that could be used in further attacks against the system.

Deeper analysisAI

CVE-2024-52367 affects IBM Concert Software versions 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3, where the software could disclose sensitive system information to an unauthorized actor. This vulnerability, mapped to CWE-497 (with NVD-CWE-noinfo), carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), reflecting medium severity primarily due to low-impact confidentiality loss.

A remote attacker without privileges or user interaction can exploit this over the network with low attack complexity. Exploitation results in access to sensitive system information, which could facilitate further attacks against the system.

The IBM security advisory provides details on remediation; see https://www.ibm.com/support/pages/node/7180303.

Details

CWE(s): CWE-497 NVD-CWE-noinfo

Affected Products

ibm

concert

1.0.0, 1.0.1, 1.0.2, 1.0.2.1, 1.0.3

CVEs Like This One

CVE-2025-64647Same product: Ibm Concert

CVE-2024-49354Same product: Ibm Concert

CVE-2025-1719Same product: Ibm Concert

CVE-2025-1722Same product: Ibm Concert

CVE-2025-33089Same product: Ibm Concert

CVE-2025-33015Same product: Ibm Concert

CVE-2025-13691Same vendor: Ibm

CVE-2025-13616Same vendor: Ibm

CVE-2024-43178Same product: Ibm Concert

CVE-2025-36253Same product: Ibm Concert

References

https://www.ibm.com/support/pages/node/7180303
Vendor Advisory · psirt@us.ibm.com