CVE-2008-7299

2011-08-1217:00:00

mitre

www.cve.org

ibm tivoli

saml 1.x

browser-artifact

incomplete handling

remote openid providers

issuer field

spoof assertions

AI Score

6.3

Confidence

Low

EPSS

0.001

Percentile

40.7%

JSON

IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2 uses an incomplete SAML 1.x browser-artifact, which allows remote OpenID providers to spoof assertions via vectors related to the Issuer field.

References

www-01.ibm.com/support/docview.wss?uid=swg1IZ35742

www.ibm.com/support/docview.wss?uid=swg24029497