SailPoint IdentityIQ Access Request for Entitlement Values with Leading/Trailing Whitespace – CVE-2024-1714

Description

An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request.

Affected product and versions

IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p1

IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p4

IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7

IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p7

All previous versions of IdentityIQ

Resolution

SailPoint has released e-fixes for each impacted and supported version of IdentityIQ. Future patch levels will include the fixes once they become available.

CVE details

CVE ID: CVE-2024-1714

Published Date: 02/27/2024

Vulnerability Type: Improper Input Validation

CWE: CWE-20

CVSS v3 Score: 7.1

CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L

References

IdentityIQ Access Request for Entitlement Values with Leading/Trailing Whitespace Security Notice