IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.
The IdentityIQ application improperly secures access to static resources in its application directory. An attacker can send HTTP or HTTPS requests directly to protected static files without authentication. Access control mechanisms are not enforced for this category of resources, resulting in their unrestricted accessibility from the network (CWE-66: improper handling of file names).
An attacker can gain unauthorized access to protected static resources of the application, which may lead to disclosure of sensitive data, compromise of environment integrity, and potential disruption of identity management system availability.
SailPoint IdentityIQ should be updated to version 8.4p2, 8.3p5, or 8.2p8 (depending on the branch in use). Details are available in the official security advisory from the vendor: https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905
SailPoint IdentityIQ 8.4 and all patch levels prior to 8.4p2; IdentityIQ 8.3 and all patch levels prior to 8.3p5; IdentityIQ 8.2 and all patch levels prior to 8.2p8; all previous versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HSailpoint Identityiq
APPSailpoint8.28.38.4< 8.2
Related vulnerabilities
Path Traversal w SailPoint IdentityIQ — dostęp do dowolnych plików serwera
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6...
This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the request...
IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch level...
This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a t...