CVE-2012-3315

Published: Nov 8, 2012Modified: Apr 29, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

The Java servlets in the management console in IBM Tivoli Federated Identity Manager (TFIM) through 6.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) before 6.2.2 do not require authentication for all resource downloads, which allows remote attackers to bypass intended J2EE security constraints, and obtain sensitive information related to (1) federation metadata or (2) a web plugin configuration template, via a crafted request.

Affected (16)

Products: Ibm: Tivoli Federated Identity Manager, Tivoli Federated Identity Manager Business Gateway

Ibm

2 products

Tivoli Federated Identity Manager

Tivoli Federated Identity Manager Business Gateway

Configuration A

9 vulnerable

Vulnerable Software	Affected Versions
Ibm Tivoli Federated Identity Manager	Up to 6.2.2
Ibm Tivoli Federated Identity Manager	Version 6.1.1
Ibm Tivoli Federated Identity Manager	Version 6.2.0.1
Ibm Tivoli Federated Identity Manager	Version 6.2.0.2
Ibm Tivoli Federated Identity Manager	Version 6.2.0.3
Ibm Tivoli Federated Identity Manager	Version 6.2.0.8
Ibm Tivoli Federated Identity Manager	Version 6.2.0.9
Ibm Tivoli Federated Identity Manager	Version 6.2.0
Ibm Tivoli Federated Identity Manager	Version 6.2.1

Configuration B

7 vulnerable

Vulnerable Software	Affected Versions
Ibm Tivoli Federated Identity Manager Business Gateway	Up to 6.2.1
Ibm Tivoli Federated Identity Manager Business Gateway	Version 6.1.1
Ibm Tivoli Federated Identity Manager Business Gateway	Version 6.2.0.1
Ibm Tivoli Federated Identity Manager Business Gateway	Version 6.2.0.2
Ibm Tivoli Federated Identity Manager Business Gateway	Version 6.2.0.3
Ibm Tivoli Federated Identity Manager Business Gateway	Version 6.2.0.8
Ibm Tivoli Federated Identity Manager Business Gateway	Version 6.2.0