SailPoint IdentityIQ JavaServer Faces File Path Traversal Vulnerability – CVE-2024-2227

Description

This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227.

Affected product and versions

IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p1

IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p4

IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p7

IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7

All previous versions of IdentityIQ

Resolution

SailPoint has released e-fixes for each impacted and supported version of IdentityIQ. Future patch levels will include the fixes once they become available.

CVE details

CVE ID: CVE-2024-2227

Published Date: 03/21/2024

Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

CWE: CWE-22

CVSS v3 Score: 10.0

CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

IdentityIQ Identity Forwarding Vulnerability Security Notice