The Java servlets in the management console in IBM Tivoli Federated Identity Manager (TFIM) through 6.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) before 6.2.2 do not require authentication for all resource downloads, which allows remote attackers to bypass intended J2EE security constraints, and obtain sensitive information related to (1) federation metadata or (2) a web plugin configuration template, via a crafted request.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
21 Nov 2024, 01:40
Type | Values Removed | Values Added |
---|---|---|
References | () http://secunia.com/advisories/51163 - | |
References | () http://www-01.ibm.com/support/docview.wss?uid=swg1IV26825 - | |
References | () http://www-01.ibm.com/support/docview.wss?uid=swg1IV26826 - | |
References | () http://www-01.ibm.com/support/docview.wss?uid=swg1IV26827 - | |
References | () http://www-01.ibm.com/support/docview.wss?uid=swg21615770 - Vendor Advisory | |
References | () http://www-01.ibm.com/support/docview.wss?uid=swg21615772 - | |
References | () https://exchange.xforce.ibmcloud.com/vulnerabilities/77796 - |
Information
Published : 2012-11-08 11:46
Updated : 2024-11-21 01:40
NVD link : CVE-2012-3315
Mitre link : CVE-2012-3315
CVE.ORG link : CVE-2012-3315
JSON object : View
Products Affected
ibm
- tivoli_federated_identity_manager_business_gateway
- tivoli_federated_identity_manager
CWE
CWE-287
Improper Authentication