CVE-2012-3315

Currently unrated

Key Information:

Vendor: IBM
Status: Tivoli Federated Identity Manager
Vendor: CVE Published:; 8 November 2012

Summary

The Java servlets in the management console in IBM Tivoli Federated Identity Manager (TFIM) through 6.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) before 6.2.2 do not require authentication for all resource downloads, which allows remote attackers to bypass intended J2EE security constraints, and obtain sensitive information related to (1) federation metadata or (2) a web plugin configuration template, via a crafted request.

References

http://www-01.ibm.com/support/docview.wss?uid=swg1IV26827

vendor-advisoryx_refsource_AIXAPAR

http://www-01.ibm.com/support/docview.wss?uid=swg21615772

x_refsource_CONFIRM

http://www-01.ibm.com/support/docview.wss?uid=swg21615770

x_refsource_CONFIRM

Timeline

Vulnerability published
Nov 8, 2012
Vulnerability Reserved
Jun 7, 2012