Vulnerability CVE-2012-3315
Published: 2012-11-08

Description:
The Java servlets in the management console in IBM Tivoli Federated Identity Manager (TFIM) through 6.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) before 6.2.2 do not require authentication for all resource downloads, which allows remote attackers to bypass intended J2EE security constraints, and obtain sensitive information related to (1) federation metadata or (2) a web plugin configuration template, via a crafted request.

Type:

CWE-287

 (Improper Authentication)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
IBM -> Tivoli federated identity manager 
IBM -> Tivoli federated identity manager business gateway 

 References:
http://xforce.iss.net/xforce/xfdb/77796
http://www-01.ibm.com/support/docview.wss?uid=swg21615772
http://www-01.ibm.com/support/docview.wss?uid=swg21615770
http://www-01.ibm.com/support/docview.wss?uid=swg1IV26827
http://www-01.ibm.com/support/docview.wss?uid=swg1IV26826
http://www-01.ibm.com/support/docview.wss?uid=swg1IV26825
Copyright 2024, cxsecurity.com

 

Back to Top