Full Report
A critical security vulnerability has been disclosed in SailPoint's IdentityIQ identity and access management (IAM) software that allows unauthorized access to content stored within the application directory. The flaw, tracked as CVE-2024-10905, has a CVSS score of 10.0, indicating maximum severity. It affects IdentityIQ versions 8.2. 8.3, 8.4, and other previous versions. IdentityIQ "allows
Analysis Summary
# Vulnerability: Critical SailPoint IdentityIQ Unauthorized File Access
## CVE Details
- CVE ID: CVE-2024-10905
- CVSS Score: 10.0 (Critical)
- CWE: CWE-66 (Improper Handling of Resource Names/Identifiers)
## Affected Systems
- Products: SailPoint IdentityIQ
- Versions:
- 8.4 and all patch levels prior to 8.4p2
- 8.3 and all patch levels prior to 8.3p5
- 8.2 and all patch levels prior to 8.2p8
- All prior versions
- Configurations: Applies generally to IdentityIQ installations.
## Vulnerability Description
A critical vulnerability exists in SailPoint IdentityIQ that allows an attacker to gain unauthorized HTTP access to static content within the IdentityIQ application directory. This is due to improper handling of filenames that designate virtual resources (CWE-66), which can be abused to read files that should otherwise be inaccessible.
## Exploitation
- Status: Details regarding active exploitation are not provided in the summary.
- Complexity: Unknown, likely low given the critical score and lack of strict prerequisites implied by the description.
- Attack Vector: Network (implied, as it is HTTP access).
## Impact
- Confidentiality: High/Complete (Unauthorized access to files within the application directory).
- Integrity: Unknown/Potential (Depending on accessible files).
- Availability: Unknown/Potential.
## Remediation
### Patches
Specific patch versions are not explicitly listed in the provided text, but users must update to versions *equal to or greater than* the following patch levels:
- Must be **8.4p2** or later.
- Must be **8.3p5** or later.
- Must be **8.2p8** or later.
### Workarounds
No specific workarounds were detailed in the provided source material.
## Detection
- Indicators of compromise: Not specified.
- Detection methods and tools: Not specified. General monitoring of unusual HTTP requests referencing static content directories within the application structure might be relevant.
## References
- Vendor Advisories: No SailPoint security advisory was available at the time of the article's publication.
- Relevant links:
- NIST NVD: hxxps://nvd.nist.gov/vuln/detail/CVE-2024-10905