IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 prior to 6.2.0.11, 6.2.1 prior to 6.2.1.3, and 6.2.2 prior to 6.2.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 prior to 6.2.0.11, 6.2.1 prior to 6.2.1.3, and 6.2.2 prior to 6.2.2.2 do not check whether an OpenID attribute is signed in the (1) SREG (aka simple registration extension) and (2) AX (aka attribute exchange extension) cases, which allows man-in-the-middle malicious users to spoof OpenID provider data by inserting unsigned attributes.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
ibm tivoli federated identity manager 6.2.0.8 |
||
ibm tivoli federated identity manager 6.2.0.9 |
||
ibm tivoli federated identity manager 6.2.0.2 |
||
ibm tivoli federated identity manager 6.2.0.3 |
||
ibm tivoli federated identity manager 6.2.0.10 |
||
ibm tivoli federated identity manager 6.2.0 |
||
ibm tivoli federated identity manager 6.2.0.1 |
||
ibm tivoli federated identity manager 6.2.1 |
||
ibm tivoli federated identity manager 6.2.1.1 |
||
ibm tivoli federated identity manager 6.2.1.2 |
||
ibm tivoli federated identity manager 6.2.2 |
||
ibm tivoli federated identity manager business gateway 6.2.0 |
||
ibm tivoli federated identity manager business gateway 6.2.0.9 |
||
ibm tivoli federated identity manager business gateway 6.2.0.10 |
||
ibm tivoli federated identity manager business gateway 6.2.0.1 |
||
ibm tivoli federated identity manager business gateway 6.2.0.2 |
||
ibm tivoli federated identity manager business gateway 6.2.0.3 |
||
ibm tivoli federated identity manager business gateway 6.2.0.8 |
||
ibm tivoli federated identity manager business gateway 6.2.1 |
||
ibm tivoli federated identity manager business gateway 6.2.2 |