The Java servlets in the management console in IBM Tivoli Federated Identity Manager (TFIM) through 6.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) before 6.2.2 do not require authentication for all resource downloads, which allows remote attackers to bypass intended J2EE security constraints, and obtain sensitive information related to (1) federation metadata or (2) a web plugin configuration template, via a crafted request.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N
Vendors Products
Ibm
  • Tivoli Federated Identity Manager
  • Tivoli Federated Identity Manager Business Gateway

Configuration 1 [-]

OR cpe:2.3:a:ibm:tivoli_federated_identity_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.1.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.1:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.1.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.8:*:*:*:*:*:*:*
References
Link Resource
http://secunia.com/advisories/51163
http://www-01.ibm.com/support/docview.wss?uid=swg1IV26825
http://www-01.ibm.com/support/docview.wss?uid=swg1IV26826
http://www-01.ibm.com/support/docview.wss?uid=swg1IV26827
http://www-01.ibm.com/support/docview.wss?uid=swg21615770 Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21615772
https://exchange.xforce.ibmcloud.com/vulnerabilities/77796
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: ibm

Published: 2012-11-08T11:00:00

Updated: 2017-08-28T12:57:01

Reserved: 2012-06-07T00:00:00

Link: CVE-2012-3315

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2012-11-08T11:46:23.830

Modified: 2017-08-29T01:31:53.087

Link: CVE-2012-3315

JSON object: View

cve-icon Redhat Information

No data.

CWE