Auth bypass in Ibm Tivoli_federated_identity_manager

CVE-2012-3315

The Java servlets in the management console in IBM Tivoli Federated Identity Manager (TFIM) through 6.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) before 6.2.2 do not require authentication for all resource downloads…

Vulnerability class: Broken Authentication

EPSS: 0.004 (61.4th percentile) — read the EPSS interpretation.

Affected products

Ibm Tivoli_federated_identity_manager — versions 6.1.1, 6.2.0, 6.2.0.1
Ibm Tivoli_federated_identity_manager_business_gateway — versions 6.1.1, 6.2.0, 6.2.0.1
N/a — versions n/a

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

IV26827 (vendor-advisory, x_refsource_AIXAPAR)
psirt@us.ibm.com (x_refsource_CONFIRM)
psirt@us.ibm.com (x_refsource_CONFIRM, Vendor Advisory)
51163 (x_refsource_SECUNIA, third-party-advisory)
IV26825 (vendor-advisory, x_refsource_AIXAPAR)
IV26826 (vendor-advisory, x_refsource_AIXAPAR)
tfim-mcs-unauth-access(77796) (vdb-entry, x_refsource_XF)