IdentityIQ Improper Access Control Vulnerability – CVE-2024-10905

Description

IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.

Affected product and versions

IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2

IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5

IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8

All previous versions of IdentityIQ

No other SailPoint products are impacted

Resolution

SailPoint has released e-fixes for each impacted and supported version of IdentityIQ. Future patch levels will include the fixes once they become available.

CVE details

CVE ID: CVE-2024-10905

Published Date: 12/02/2024

Vulnerability Type: IdentityIQ Improper Access Control Vulnerability

CWE: CWE-66

CVSS v3 Score: 10.0

CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

IdentityIQ Improper Access Control Vulnerability Security Notice