CVE-2012-3315 Information
Description
The Java servlets in the management console in IBM Tivoli Federated Identity Manager (TFIM) through 6.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) before 6.2.2 do not require authentication for all resource downloads which allows remote attackers to bypass intended J2EE security constraints and obtain sensitive information related to (1) federation metadata or (2) a web plugin configuration template via a crafted request.
Reference
http://secunia.com/advisories/51163 http://www-01.ibm.com/support/docview.wss?uid=swg1IV26825 http://www-01.ibm.com/support/docview.wss?uid=swg1IV26826 http://www-01.ibm.com/support/docview.wss?uid=swg1IV26827 http://www-01.ibm.com/support/docview.wss?uid=swg21615770 http://www-01.ibm.com/support/docview.wss?uid=swg21615772 https://exchange.xforce.ibmcloud.com/vulnerabilities/77796
Share on: