In certain cases, IBM Tivoli Federated Identity Manager does not handle end user provided data before using that data to construct an HTTP redirect request.
CVE ID:CVE-2014-3097
**DESCRIPTION:**In certain cases, IBM Tivoli Federated Identity Manager does not correctly handle end user provided data before using that data to construct an HTTP redirect request. If a compromised client can be caused to send a crafted request, that system could be induced to visit a malicious site without the awareness of the user of that system.
The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could not compromise the confidentiality of the system, could partially compromise the integrity of the system and could not compromise the accessibility of the system.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94265> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
IBM Tivoli Federated Identity Manager 6.2.0, 6.2.1, 6.2.2
IBM has provided patches for all affected versions. Follow the installation instructions in the README files included with the patch.
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
_IBM Tivoli Federated Identity Manager - _6.2.2 | 6.2.2 | IV64324 | |
IV64325 | |||
IV64349 | |||
IV64376 | |||
IV64494 | 6.2.2-TIV-TFIM-IF0011 | ||
_IBM Tivoli Federated Identity Manager - _6.2.1 | 6.2.1 | IV64497 | |
IV64501 | |||
IV64506 | 6.2.1-TIV-TFIM-IF0007 | ||
_IBM Tivoli Federated Identity Manager - _6.2 | 6.2.0 | IV64509 | |
IV64511 | |||
IV64512 | 6.2.0-TIV-TFIM-IF0015 |
None
CPE | Name | Operator | Version |
---|---|---|---|
tivoli federated identity manager | eq | 6.2 | |
tivoli federated identity manager | eq | 6.2.1 | |
tivoli federated identity manager | eq | 6.2.2 |