|
Description
|
|
A security issue and two vulnerabilities have been reported in IBM Security Identity Manager and IBM Tivoli Identity Manager, which can be exploited by malicious, local users to disclose certain sensitive information, by malicious users to bypass certain security restrictions, and by malicious people to conduct cross-site request forgery attacks.
1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions if a logged-in administrator visits a malicious web site.
2) An error related to server side LDAP queries can be exploited to bypass UI controls and gain access to otherwise restricted information.
3) The application stores encrypted user credentials and the keystore password in cleartext in configuration files. This can be exploited to decrypt the SIM username and passwords.
The security issue and vulnerabilities are reported in versions prior to 5.1.0.15-ISS-TIM-IF0057 and 6.0.0.4-ISS-SIM-IF0001.
|
