SailPoint IdentityIQ File Traversal Vulnerability – CVE-2022-46835

Description

IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, and IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow access to arbitrary files in the application server filesystem due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950

Affected product and versions

IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2

IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5

IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7

IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6

Resolution

SailPoint has released an e-fix that addresses this issue across all impacted version of IdentityIQ. Future patch levels will include this fix once they become available.

CVE details

CVE ID: CVE-2022-46835

Published Date: 01/31/2023

Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

CWE: CWE-22

CVSS v3 Score: 8.8

CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

References

IdentityIQ JavaServer Faces File Path Traversal Vulnerability Security Notice