SailPoint IdentityIQ Unsafe use of Reflection Vulnerability- CVE-2023-32217

Description

This vulnerability allows an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.

Affected product and versions

IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2

IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5

IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p6

IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p5

Resolution

SailPoint has released e-fixes for each impacted and supported version of IdentityIQ. Future patch levels will include the fixes once they become available.

CVE details

CVE ID: CVE-2023-32217

Published Date: 05/31/2023

Vulnerability Type: Vulnerability Type Unsafe use of Reflection

CWE: CWE-470

CVSS v3 Score: 9.0

CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

References

IdentityIQ Identity Unsafe use of Reflection Security Notice