CVE-2011-3138

3 documents3 sources

Severity

5.0MEDIUM

EPSS

0.2%

top 54.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Tivoli Federated Identity Manager IBM Tivoli Federated Identity Manager Business Gateway

Timeline

PublishedAug 12

Latest updateMay 17

Description

The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 relies on a static instance of a Java Development Kit (JDK) class, which might allow attackers to bypass LTPA token signature verification by leveraging lack of thread safety.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDibm/tivoli_federated_identity_manager_business_gateway5 versions+4

▶NVDibm/tivoli_federated_identity_manager5 versions+4

🔴Vulnerability Details

GHSA

GHSA-3r9x-6pcg-2762: The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6↗2022-05-17

▶

CVEList

CVE-2011-3138: The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6↗2011-08-12

▶