Security Bulletin: IBM Tivoli Federated Identity Manager OpenID: signature validation not applied to all attributes (CVE-2012-6359)
IBM PSIRT 270004PFE3 firstname.lastname@example.org | | Tags:  psirtsecurity psirtmedium
0 Comments | 636 Visits
An OpenID message can be modified to contain unsigned attributes that will be accepted by a relying party because Tivoli Federated Identity Manager (TFIM) does not check that all attributes have been signed.
Affected product(s) & Affected version(s):
Tivoli Federated Identity Manager versions 6.2.0, 6.2.1, 6.2.2
Refer to the following reference URLs for remediation and additional vulnerability details.