CVE-2011-3138

The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 relies on a static instance of a Java Development Kit (JDK) class, which might allow attackers to bypass LTPA token signature verification by leveraging lack of thread safety.

Published: Aug 12, 2011
Updated: Apr 13, 2023
CVE: CVE-2011-3138
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
ibm / tivoli_federated_identity_manager	6.2.0.2	6.2.0.2.x
ibm / tivoli_federated_identity_manager	6.2.0	6.2.0.x
ibm / tivoli_federated_identity_manager	6.2.0.1	6.2.0.1.x
ibm / tivoli_federated_identity_manager	6.2.0.3	6.2.0.3.x
ibm / tivoli_federated_identity_manager	6.2.0.8	6.2.0.8.x
ibm / tivoli_federated_identity_manager_business_gateway	6.2.0	6.2.0.x
ibm / tivoli_federated_identity_manager_business_gateway	6.2.0.1	6.2.0.1.x
ibm / tivoli_federated_identity_manager_business_gateway	6.2.0.3	6.2.0.3.x
ibm / tivoli_federated_identity_manager_business_gateway	6.2.0.8	6.2.0.8.x
ibm / tivoli_federated_identity_manager_business_gateway	6.2.0.2	6.2.0.2.x

Vulnerability Database

290,206

CVE-2011-3138