Vulnerability Name:

CVE-2013-5429 (CCN-87561)

Assigned:2013-08-22
Published:2014-01-13
Updated:2017-08-29
Summary:The Risk Based Access functionality in IBM Tivoli Federated Identity Manager (TFIM) 6.2.2 before FP9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.2 before FP9 does not prevent reuse of One Time Password (OTP) tokens, which makes it easier for remote authenticated users to complete transactions by leveraging access to an already-used token.
CVSS v3 Severity:2.6 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N)
1.6 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.1 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N)
1.6 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-287
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2013-5429

Source: CCN
Type: SA56411
IBM Tivoli Federated Identity Manager / Business Gateway Token Reuse Security Issue

Source: AIXAPAR
Type: UNKNOWN
IV52624

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21660509

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21660510

Source: CCN
Type: OSVDB ID: 101699
IBM Tivoli Federated Identity Multiple Product OTP Token Reuse Weakness

Source: CCN
Type: BID-64999
IBM Tivoli Federated Identity Manager Business Gateway Security Bypass Vulnerability

Source: XF
Type: UNKNOWN
ibm-tivoli-cve20135429-sec-bypass(87561)

Source: XF
Type: UNKNOWN
ibm-tivoli-cve20135429-sec-bypass(87561)

Source: CCN
Type: IBM Security Bulletin 1660510
IBM Tivoli Federated Identity Manager Business Gateway One Time Password Enforcement (CVE-2013-5429)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:tivoli_federated_identity_manager:6.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_federated_identity_manager:6.2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_federated_identity_manager:6.2.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_federated_identity_manager:6.2.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_federated_identity_manager:6.2.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_federated_identity_manager:6.2.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_federated_identity_manager:6.2.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_federated_identity_manager:6.2.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_federated_identity_manager:6.2.2.8:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:ibm:tivoli_federated_identity_manager:6.2.2:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    ibm tivoli federated identity manager 6.2.2
    ibm tivoli federated identity manager 6.2.2.1
    ibm tivoli federated identity manager 6.2.2.2
    ibm tivoli federated identity manager 6.2.2.3
    ibm tivoli federated identity manager 6.2.2.4
    ibm tivoli federated identity manager 6.2.2.5
    ibm tivoli federated identity manager 6.2.2.6
    ibm tivoli federated identity manager 6.2.2.7
    ibm tivoli federated identity manager 6.2.2.8
    ibm tivoli federated identity manager 6.2.2