Vulnerability Description
The Java servlets in the management console in IBM Tivoli Federated Identity Manager (TFIM) through 6.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) before 6.2.2 do not require authentication for all resource downloads, which allows remote attackers to bypass intended J2EE security constraints, and obtain sensitive information related to (1) federation metadata or (2) a web plugin configuration template, via a crafted request.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ibm | Tivoli Federated Identity Manager | <= 6.2.2 |
| Ibm | Tivoli Federated Identity Manager Business Gateway | <= 6.2.1 |
Related Weaknesses (CWE)
References
- http://secunia.com/advisories/51163
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV26825
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV26826
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV26827
- http://www-01.ibm.com/support/docview.wss?uid=swg21615770Vendor Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21615772
- https://exchange.xforce.ibmcloud.com/vulnerabilities/77796
- http://secunia.com/advisories/51163
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV26825
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV26826
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV26827
- http://www-01.ibm.com/support/docview.wss?uid=swg21615770Vendor Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21615772
- https://exchange.xforce.ibmcloud.com/vulnerabilities/77796
FAQ
What is CVE-2012-3315?
CVE-2012-3315 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The Java servlets in the management console in IBM Tivoli Federated Identity Manager (TFIM) through 6.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) before 6.2.2 do not require au...
How severe is CVE-2012-3315?
CVE-2012-3315 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-3315?
Check the references section above for vendor advisories and patch information. Affected products include: Ibm Tivoli Federated Identity Manager, Ibm Tivoli Federated Identity Manager Business Gateway.