Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2012-6359

Опубликовано: 18 янв. 2013
Источник: nvd
CVSS2: 4.3
EPSS Низкий

Описание

IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 do not check whether an OpenID attribute is signed in the (1) SREG (aka simple registration extension) and (2) AX (aka attribute exchange extension) cases, which allows man-in-the-middle attackers to spoof OpenID provider data by inserting unsigned attributes.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.10:*:*:*:*:*:*:*
Конфигурация 2

Одно из

cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.1.2:*:*:*:*:*:*:*
Конфигурация 3
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2:*:*:*:*:*:*:*
Конфигурация 4

Одно из

cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.10:*:*:*:*:*:*:*
Конфигурация 5
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.1:*:*:*:*:*:*:*
Конфигурация 6
cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.2:*:*:*:*:*:*:*

EPSS

Процентиль: 66%
0.00515
Низкий

4.3 Medium

CVSS2

Дефекты

CWE-264

Связанные уязвимости

github логотип

GHSA-xgg6-h359-rv3p

github
больше 3 лет назад

IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 do not check whether an OpenID attribute is signed in the (1) SREG (aka simple registration extension) and (2) AX (aka attribute exchange extension) cases, which allows man-in-the-middle attackers to spoof OpenID provider data by inserting unsigned attributes.

EPSS

Процентиль: 66%
0.00515
Низкий

4.3 Medium

CVSS2

Дефекты

CWE-264