CVE-2013-5429

The Risk Based Access functionality in IBM Tivoli Federated Identity Manager (TFIM) 6.2.2 before FP9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.2 before FP9 does not prevent reuse of One Time Password (OTP) tokens, which makes it easier for remote authenticated users to complete transactions by leveraging access to an already-used token.

CVSS v2.0 2.1 LOW

2.1^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:H/Au:S/C:N/I:P/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www-01.ibm.com/support/docview.wss?uid=swg21660509	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21660510	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1IV52624
https://exchange.xforce.ibmcloud.com/vulnerabilities/87561

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.8:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.3:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.4:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.1:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.7:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.6:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.5:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.2:::::::*

Information

Published : 2014-01-20 17:55

Updated : 2017-08-28 18:33

NVD link : CVE-2013-5429

Mitre link : CVE-2013-5429

JSON object : View

CWE

CWE-287

Improper Authentication

Advertisement

Products Affected

ibm

tivoli_federated_identity_manager

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21660509", "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21660509", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21660510", "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21660510", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IV52624", "name": "IV52624", "tags": [], "refsource": "AIXAPAR"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/87561", "name": "ibm-tivoli-cve20135429-sec-bypass(87561)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The Risk Based Access functionality in IBM Tivoli Federated Identity Manager (TFIM) 6.2.2 before FP9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.2 before FP9 does not prevent reuse of One Time Password (OTP) tokens, which makes it easier for remote authenticated users to complete transactions by leveraging access to an already-used token."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-287"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2013-5429", "ASSIGNER": "psirt@us.ibm.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 2.1, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2014-01-21T01:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-08-29T01:33Z"}