N/A

IBM Tivoli Provisioning Manager (TPM) before 5.1.1.1 IF0006, when its LDAP service is shared with other applications, does not require that an LDAP user be listed in the TPM user records, which allows remote authenticated users to execute SOAP commands that access arbitrary TPM functionality, as demonstrated by running provisioning workflows.

N/A

N/A

IBM Tivoli Provisioning Manager SOAP命令绕过认证漏洞

IBM Tivoli Provisioning Manager允许通过服务器、存储器和网络自动化在整个数据中心实现随需应变的计算。 Tivoli Provisioning Manager的SOAP认证机制中存在安全漏洞。如果与其他应用共享用于认证的LDAP的话，则域中的任意LDAP用户都可以运行SOAP命令。例如，如果在TPM、TPMfSW或TIO的域或后缀下的LDAP中创建了用户，但没有在TPM用户记录中创建相同用户，则该用户可以使用SOAP运行供应工作流。

N/A

N/A