SailPoint IdentityIQ Authorization of QuickLink Target Identities Vulnerability – CVE-2024-2228
Description
This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population.
Affected product and versions
IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p1
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p4
IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p7
IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7
All previous versions of IdentityIQ
Resolution
SailPoint has released e-fixes for each impacted and supported version of IdentityIQ. Future patch levels will include the fixes once they become available.
CVE details
CVE ID: CVE-2024-2228
Published Date: 03/21/2024
Vulnerability Type: Improper Privilege Management
CWE: CWE-269
CVSS v3 Score: 7.1
CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H