CVE-2025-36154: IBM Concert Software Cleartext Storage in a File or on Disk.
Published Dec 22, 2025
·Updated
IBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user.
Affected Software
3 affected components
IBM Concert>=1.0.0<=2.1.0
IBM Concert Software<=1.0.0-2.1.0
IBM Concert>=1.0.0<2.2.0
Remediation
Information
Remediation/Fixes IBM strongly recommends addressing the vulnerabilities now by upgrading to IBM Concert Software 2.2.0 Download IBM Concert Software 2.2.0 from Container software library section of IBM Entitled Registry ( ICR ) and follow installation instructions depending on the type of deployment.
Event History
Dec 22, 2025
CVE Published
via IBM·12:00 AM
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Dec 24, 2025
CVE Published
via MITRE·07:01 PM
Data Sourced
via MITRE·07:01 PM
RemedyDescriptionSeverityWeakness
Data Sourced
via NVD·07:15 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2025-36154?
CVE-2025-36154 has a medium severity due to the exposure of sensitive information in cleartext.
2
How do I fix CVE-2025-36154?
To mitigate CVE-2025-36154, upgrade IBM Concert Software to version 2.1.1 or later.
3
What kind of sensitive information is exposed in CVE-2025-36154?
CVE-2025-36154 exposes sensitive information that can include credentials or configuration data stored in cleartext.
4
Who is affected by CVE-2025-36154?
Users of IBM Concert versions 1.0.0 to 2.1.0 are affected by CVE-2025-36154 during recursive docker builds.
5
Can a local user exploit CVE-2025-36154?
Yes, a local user can exploit CVE-2025-36154 to access sensitive information stored in cleartext.