Session Establishment Vulnerability in IBM Tivoli Federated Identity Manager
CVE-2012-3314

Currently unrated

Key Information:

Vendor: IBM
Status: Tivoli Federated Identity Manager
Vendor: CVE Published:; 2 October 2012

Summary

IBM Tivoli Federated Identity Manager and Business Gateway versions 6.1.1 through 6.2.2 have a vulnerability that allows remote attackers to create sessions by sending crafted messages. This is facilitated through a signature-validation bypass for SAML messages with unsigned elements, improper validation of XML messages, or a failure to validate the certificate chain for XML signature elements that include the signing certificate, potentially leading to unauthorized access.

References

http://www-01.ibm.com/support/docview.wss?uid=swg21612612

x_refsource_CONFIRM

http://www-01.ibm.com/support/docview.wss?uid=swg1IV23435

vendor-advisoryx_refsource_AIXAPAR

http://www-01.ibm.com/support/docview.wss?uid=swg1IV23445

vendor-advisoryx_refsource_AIXAPAR

Timeline

Vulnerability published
Oct 2, 2012
Vulnerability Reserved
Jun 7, 2012