Vulnerability Details : CVE-2011-3138
The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 relies on a static instance of a Java Development Kit (JDK) class, which might allow attackers to bypass LTPA token signature verification by leveraging lack of thread safety.
Products affected by CVE-2011-3138
- cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-3138
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-3138
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
References for CVE-2011-3138
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/69198
IBM Tivoli Federated Identity Manager security bypass CVE-2011-3138 Vulnerability Report
-
http://www.ibm.com/support/docview.wss?uid=swg24029498
IBM Tivoli Fed Id Mgr Business Gateway v6.2.0, Fix Pack 9, 6.2.0-TIV-TFIMBG-FP0009
-
http://www.ibm.com/support/docview.wss?uid=swg24029497
IBM Tivoli Federated Identity Manager 6.2.0 Fixpack 9 (6.2.0-TIV-TFIM-FP0009)
-
http://www-01.ibm.com/support/docview.wss?uid=swg1IV01318
IBM IV01318: LTPA MODULE PERMITS CONCURRENT ACCESS TO NON THREAD SAFE CLASS
Jump to