Security Bulletin: Tivoli Federated Identity Manager - Unprotected Management Console Servlets (CVE-2012-3315)

Abstract SUMMARY The management console used to administer Tivoli Federated Identity Manager contains servlets which are not all protected via a J2EE security constraint. These servlets could be used by an unauthenticated user to download certain resources from TFIM. Content VULNERABILITY DETAILS...

Cross site request forgery (csrf)

The Java servlets in the management console in IBM Tivoli Federated Identity Manager TFIM through 6.2.2 and Tivoli Federated Identity Manager Business Gateway TFIMBG before 6.2.2 do not require authentication for all resource downloads, which allows remote attackers to bypass intended J2EE securi...

CVE-2012-3315

The Java servlets in the management console in IBM Tivoli Federated Identity Manager TFIM through 6.2.2 and Tivoli Federated Identity Manager Business Gateway TFIMBG before 6.2.2 do not require authentication for all resource downloads, which allows remote attackers to bypass intended J2EE securi...