CVE-2012-6359

Sažetak

IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 do not check whether an OpenID attribute is signed in the (1) SREG (aka simple registration extension) and (2) AX (aka attribute exchange extension) cases, which allows man-in-the-middle attackers to spoof OpenID provider data by inserting unsigned attributes.

Reference

http://secunia.com/advisories/51212
http://www.securityfocus.com/bid/56390
http://www-01.ibm.com/support/docview.wss?uid=swg1IV23451
http://www-01.ibm.com/support/docview.wss?uid=swg1IV23452
http://www-01.ibm.com/support/docview.wss?uid=swg1IV23453
http://www-01.ibm.com/support/docview.wss?uid=swg21615744
http://www-01.ibm.com/support/docview.wss?uid=swg21615748
https://exchange.xforce.ibmcloud.com/vulnerabilities/77790

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

29-08-2017 - 01:32

Objavljeno

18-01-2013 - 21:55