CVE-2012-3314

IBM Tivoli Federated Identity Manager (TFIM) and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.1.1, 6.2.0, 6.2.1, and 6.2.2 allow remote attackers to establish sessions via a crafted message that leverages (1) a signature-validation bypass for SAML messages containing unsigned elements, (2) incorrect validation of XML messages, or (3) a certificate-chain validation bypass for an XML signature element that contains the signing certificate.

CVSS v2.0 5.8 MEDIUM

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www-01.ibm.com/support/docview.wss?uid=swg1IV23435
http://www-01.ibm.com/support/docview.wss?uid=swg1IV23442
http://www-01.ibm.com/support/docview.wss?uid=swg1IV23445
http://www-01.ibm.com/support/docview.wss?uid=swg1IV23448
http://www-01.ibm.com/support/docview.wss?uid=swg21612612	Patch Vendor Advisory
http://www.securityfocus.com/bid/55732

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.1.1:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.1:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.1.1:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.1:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.2:::::::*

History

No history.

Information

Published : 2012-10-02 21:55

Updated : 2024-02-04 18:16

NVD link : CVE-2012-3314

Mitre link : CVE-2012-3314

CVE.ORG link : CVE-2012-3314

JSON object : View

Products Affected

ibm

tivoli_federated_identity_manager
tivoli_federated_identity_manager_business_gateway

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2012-3314", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2012-10-02T21:55:01.333", "references": [{"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IV23435", "source": "psirt@us.ibm.com"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IV23442", "source": "psirt@us.ibm.com"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IV23445", "source": "psirt@us.ibm.com"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IV23448", "source": "psirt@us.ibm.com"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21612612", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "http://www.securityfocus.com/bid/55732", "source": "psirt@us.ibm.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "IBM Tivoli Federated Identity Manager (TFIM) and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.1.1, 6.2.0, 6.2.1, and 6.2.2 allow remote attackers to establish sessions via a crafted message that leverages (1) a signature-validation bypass for SAML messages containing unsigned elements, (2) incorrect validation of XML messages, or (3) a certificate-chain validation bypass for an XML signature element that contains the signing certificate."}, {"lang": "es", "value": "IBM Tivoli Federated Identity Manager (TFIM) y Tivoli Federated Identity Manager Business Gateway (TFIMBG) v6.1.1, v6.2.0, v6.2.1, y v6.2.2 permite atacantes remotos establecer sesiones a trav\u00e9s de un mensaje que\r\n aprovecha (1) para evitar una validaci\u00f3n de firma que para mensajes SAML que contienen elementos no firmados, (2) validaci\u00f3n incorrecta de mensajes XML, o (3) evitar la validaci\u00f3n de una cadena de certificados de un elemento XML firmado que contiene la firma del certificado."}], "lastModified": "2013-02-01T04:49:16.600", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7713A26A-87C9-4BF1-A6D1-89DFD7BF5574"}, {"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E508843E-DEA8-433D-AFD5-2730D2745E0B"}, {"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F674F64E-F51F-4F5E-AFCD-952958E66FE2"}, {"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93F48368-9617-4EE6-BF7A-6873229C0D66"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58E139B7-C2A2-4505-A384-8C3F08D211E4"}, {"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1807D56B-4569-47FB-8562-0DA753DCFD89"}, {"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C58DE666-C96D-48DA-B9C2-D99055976B55"}, {"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A937255-421C-450C-AA0D-3FF28B81D565"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}