Lucene search

IbmCVE-2012-6359

HistoryJan 18, 2013 - 9:55 p.m.

CVE-2012-6359

2013-01-1821:55:00

CWE-264

ibm

web.nvd.nist.gov

ibm

tfim

tfimbg

openid

attribute validation

security vulnerability

cve-2012-6359

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

6.4

Confidence

Low

EPSS

0.003

Percentile

67.7%

JSON

IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 do not check whether an OpenID attribute is signed in the (1) SREG (aka simple registration extension) and (2) AX (aka attribute exchange extension) cases, which allows man-in-the-middle attackers to spoof OpenID provider data by inserting unsigned attributes.

Affected configurations

Nvd

Node

ibmtivoli_federated_identity_managerMatch6.2.0

ibmtivoli_federated_identity_managerMatch6.2.0.1

ibmtivoli_federated_identity_managerMatch6.2.0.2

ibmtivoli_federated_identity_managerMatch6.2.0.3

ibmtivoli_federated_identity_managerMatch6.2.0.8

ibmtivoli_federated_identity_managerMatch6.2.0.9

ibmtivoli_federated_identity_managerMatch6.2.0.10

Node

ibmtivoli_federated_identity_managerMatch6.2.1

ibmtivoli_federated_identity_managerMatch6.2.1.1

ibmtivoli_federated_identity_managerMatch6.2.1.2

Node

ibmtivoli_federated_identity_managerMatch6.2.2

Node

ibmtivoli_federated_identity_manager_business_gatewayMatch6.2.0

ibmtivoli_federated_identity_manager_business_gatewayMatch6.2.0.1

ibmtivoli_federated_identity_manager_business_gatewayMatch6.2.0.2

ibmtivoli_federated_identity_manager_business_gatewayMatch6.2.0.3

ibmtivoli_federated_identity_manager_business_gatewayMatch6.2.0.8

ibmtivoli_federated_identity_manager_business_gatewayMatch6.2.0.9

ibmtivoli_federated_identity_manager_business_gatewayMatch6.2.0.10

Node

ibmtivoli_federated_identity_manager_business_gatewayMatch6.2.1

Node

ibmtivoli_federated_identity_manager_business_gatewayMatch6.2.2

VendorProductVersionCPE
ibmtivoli_federated_identity_manager6.2.0cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0:*:*:*:*:*:*:*
ibmtivoli_federated_identity_manager6.2.0.1cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.1:*:*:*:*:*:*:*
ibmtivoli_federated_identity_manager6.2.0.2cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.2:*:*:*:*:*:*:*
ibmtivoli_federated_identity_manager6.2.0.3cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.3:*:*:*:*:*:*:*
ibmtivoli_federated_identity_manager6.2.0.8cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.8:*:*:*:*:*:*:*
ibmtivoli_federated_identity_manager6.2.0.9cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.9:*:*:*:*:*:*:*
ibmtivoli_federated_identity_manager6.2.0.10cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.10:*:*:*:*:*:*:*
ibmtivoli_federated_identity_manager6.2.1cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.1:*:*:*:*:*:*:*
ibmtivoli_federated_identity_manager6.2.1.1cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.1.1:*:*:*:*:*:*:*
ibmtivoli_federated_identity_manager6.2.1.2cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.1.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	tivoli_federated_identity_manager	6.2.0	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0:::::::*
ibm	tivoli_federated_identity_manager	6.2.0.1	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.1:::::::*
ibm	tivoli_federated_identity_manager	6.2.0.2	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.2:::::::*
ibm	tivoli_federated_identity_manager	6.2.0.3	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.3:::::::*
ibm	tivoli_federated_identity_manager	6.2.0.8	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.8:::::::*
ibm	tivoli_federated_identity_manager	6.2.0.9	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.9:::::::*
ibm	tivoli_federated_identity_manager	6.2.0.10	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.10:::::::*
ibm	tivoli_federated_identity_manager	6.2.1	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.1:::::::*
ibm	tivoli_federated_identity_manager	6.2.1.1	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.1.1:::::::*
ibm	tivoli_federated_identity_manager	6.2.1.2	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.1.2:::::::*

Rows per page:

1-10 of 201

References

secunia.com/advisories/51212

www-01.ibm.com/support/docview.wss?uid=swg1IV23451

www-01.ibm.com/support/docview.wss?uid=swg1IV23452

www-01.ibm.com/support/docview.wss?uid=swg1IV23453

www-01.ibm.com/support/docview.wss?uid=swg21615744

www-01.ibm.com/support/docview.wss?uid=swg21615748

www.securityfocus.com/bid/56390

exchange.xforce.ibmcloud.com/vulnerabilities/77790

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

6.4

Confidence

Low

EPSS

0.003

Percentile

67.7%

JSON

Related for CVE-2012-6359