CVE-2013-5429 : The Risk Based Access functionality in IBM Tivoli Federated Identity Manager (TFIM) 6.2.2 before FP9 and Tivoli Federate

The Risk Based Access functionality in IBM Tivoli Federated Identity Manager (TFIM) 6.2.2 before FP9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.2 before FP9 does not prevent reuse of One Time Password (OTP) tokens, which makes it easier for remote authenticated users to complete transactions by leveraging access to an already-used token.

Published 2014-01-21 01:55:04

Updated 2017-08-29 01:33:47

Source IBM Corporation

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Exploit prediction scoring system (EPSS) score for CVE-2013-5429

Probability of exploitation activity in the next 30 days: 0.14%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 49 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2013-5429

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:N/AC:H/Au:S/C:N/I:P/A:N	3.9	2.9	NIST
Access Vector: Network Access Complexity: High Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2013-5429

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-5429

http://www-01.ibm.com/support/docview.wss?uid=swg1IV52624

IBM notice: The page you requested cannot be displayed
https://exchange.xforce.ibmcloud.com/vulnerabilities/87561

IBM Tivoli Federated Identity Manager Business Gateway security bypass CVE-2013-5429 Vulnerability Report
http://www-01.ibm.com/support/docview.wss?uid=swg21660510

IBM notice: The page you requested cannot be displayed
Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21660509

IBM Security Bulletin: Tivoli Federated Identity Manager One Time Password Enforcement (CVE-2013-5429)
Vendor Advisory

Products affected by CVE-2013-5429

IBM » Tivoli Federated Identity Manager » Version: 6.2.2
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2:*:*:*:*:*:*:*
Matching versions
IBM » Tivoli Federated Identity Manager » Version: 6.2.2.2
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.2:*:*:*:*:*:*:*
Matching versions
IBM » Tivoli Federated Identity Manager » Version: 6.2.2.3
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.3:*:*:*:*:*:*:*
Matching versions
IBM » Tivoli Federated Identity Manager » Version: 6.2.2.8
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.8:*:*:*:*:*:*:*
Matching versions
IBM » Tivoli Federated Identity Manager » Version: 6.2.2.4
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.4:*:*:*:*:*:*:*
Matching versions
IBM » Tivoli Federated Identity Manager » Version: 6.2.2.1
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.1:*:*:*:*:*:*:*
Matching versions
IBM » Tivoli Federated Identity Manager » Version: 6.2.2.7
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.7:*:*:*:*:*:*:*
Matching versions
IBM » Tivoli Federated Identity Manager » Version: 6.2.2.6
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.6:*:*:*:*:*:*:*
Matching versions
IBM » Tivoli Federated Identity Manager » Version: 6.2.2.5
cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.2.5:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2013-5429

Exploit prediction scoring system (EPSS) score for CVE-2013-5429

CVSS scores for CVE-2013-5429

CWE ids for CVE-2013-5429

References for CVE-2013-5429

Products affected by CVE-2013-5429