A vulnerability was found in IBM Security Access Manager (Network Authentication Software). It has been declared as critical. This vulnerability affects an unknown part. The manipulation with an unknown input leads to a redirect vulnerability. The CWE definition for the vulnerability is CWE-601. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

IBM Security Access Manager 6.1, 7.0, 8.0, and 9.0 e-community configurations may be affected by a redirect vulnerability. ECSSO Master Authentication can redirect to a server not participating in an e-community domain. IBM X-Force ID: 128687.

The bug was discovered 08/23/2017. The weakness was released 08/23/2017 as swg22006959 as confirmed security advisory (Website). The advisory is available at www-01.ibm.com. This vulnerability was named CVE-2017-1489 since 11/30/2016. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1204.001 by the MITRE ATT&CK project.

Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Productinfo

Type

• Network Authentication Software

Vendor

• IBM

Name

• Security Access Manager

Version

• 6.1
• 6.1.1
• 7.0
• 8.0
• 8.0.0.1
• 8.0.0.2
• 8.0.0.3
• 8.0.0.4
• 8.0.0.5
• 8.0.1
• 8.0.1.2
• 8.0.1.3
• 8.0.1.4
• 8.0.1.5
• 9.0
• 9.0.0.1
• 9.0.1
• 9.0.2
• 9.0.2.1
• 9.0.3

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion