Vulnerability Details CVE-2012-6359
IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 do not check whether an OpenID attribute is signed in the (1) SREG (aka simple registration extension) and (2) AX (aka attribute exchange extension) cases, which allows man-in-the-middle attackers to spoof OpenID provider data by inserting unsigned attributes.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 65.6%
CVSS Severity
CVSS v2 Score 4.3
References
- http://secunia.com/advisories/51212
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV23451
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV23452
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV23453
- http://www-01.ibm.com/support/docview.wss?uid=swg21615744
- http://www-01.ibm.com/support/docview.wss?uid=swg21615748
- http://www.securityfocus.com/bid/56390
- https://exchange.xforce.ibmcloud.com/vulnerabilities/77790
- http://secunia.com/advisories/51212
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV23451
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV23452
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV23453
- http://www-01.ibm.com/support/docview.wss?uid=swg21615744
- http://www-01.ibm.com/support/docview.wss?uid=swg21615748
- http://www.securityfocus.com/bid/56390
- https://exchange.xforce.ibmcloud.com/vulnerabilities/77790
Products affected by CVE-2012-6359
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.1
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.10
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.2
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.3
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.8
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.9
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.1
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.1.1
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.1.2
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.1
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.10
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.2
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.3
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.8
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.9
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.1
-
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.2