A vulnerability was found in IBM Tivoli Identity Manager and Security Identity Manager (Access Management Software) (affected version unknown) and classified as critical. Affected by this issue is an unknown functionality. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality, integrity, and availability. CVE summarizes:

IBM Tivoli Identity Manager 5.1.x before 5.1.0.15-ISS-TIM-IF0057 and Security Identity Manager 6.0.x before 6.0.0.4-ISS-SIM-IF0001 and 7.0.x before 7.0.0.0-ISS-SIM-IF0003 might allow man-in-the-middle attackers to obtain sensitive information by leveraging an unencrypted connection for interfaces. IBM X-Force ID: 96172.

The bug was discovered 03/02/2015. The weakness was disclosed 04/20/2018 (Website). The advisory is shared for download at exchange.xforce.ibmcloud.com. This vulnerability is handled as CVE-2014-6108 since 09/02/2014. The attack may be launched remotely. No form of authentication is required for exploitation. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1592.

The vulnerability was handled as a non-public zero-day exploit for at least 1145 days. During that time the estimated underground price was around $5k-$25k.

Upgrading eliminates this vulnerability.

The entries 116853, 116854 and 116855 are pretty similar.

Productinfo

Type

• Access Management Software

Vendor

• IBM

Name

• Security Identity Manager
• Tivoli Identity Manager

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion