Security Bulletin: Open Redirection in IBM Tivoli Federated Identity Manager (CVE-2014-3097)

Summary

In certain cases, IBM Tivoli Federated Identity Manager does not handle end user provided data before using that data to construct an HTTP redirect request.

Vulnerability Details

CVE ID:CVE-2014-3097

**DESCRIPTION:**In certain cases, IBM Tivoli Federated Identity Manager does not correctly handle end user provided data before using that data to construct an HTTP redirect request. If a compromised client can be caused to send a crafted request, that system could be induced to visit a malicious site without the awareness of the user of that system.

The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could not compromise the confidentiality of the system, could partially compromise the integrity of the system and could not compromise the accessibility of the system.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94265&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Tivoli Federated Identity Manager 6.2.0, 6.2.1, 6.2.2

Remediation/Fixes

IBM has provided patches for all affected versions. Follow the installation instructions in the README files included with the patch.

Workarounds and Mitigations

None