Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

A critical security vulnerability has been disclosed in SailPoint’s IdentityIQ identity and access management (IAM) software that allows unauthorized access to content stored within the application directory.

The flaw, tracked as CVE-2024-10905, has a CVSS score of 10.0, indicating maximum severity. It affects IdentityIQ versions 8.2. 8.3, 8.4, and other previous versions.

IdentityIQ “allows HTTP access to static content in the IdentityIQ application directory that should be protected,” according to a description of the flaw on NIST’s National Vulnerability Database (NVD).

The vulnerability has been characterized as a case of improper handling of file names that identify virtual resources (CWE-66), which could be abused to read otherwise inaccessible files.

In an alert of its own, SailPoint said it has “released e-fixes for each impacted and supported version of IdentityIQ.” The exact list of versions impacted by CVE-2024-10905 is mentioned below –

8.4 and all 8.4 patch levels prior to 8.4p2
8.3 and all 8.3 patch levels prior to 8.3p5
8.2 and all 8.2 patch levels prior to 8.2p8, and
All prior versions

The Hacker News has reached out to SailPoint for comment prior to the publication of this story and will update the piece if we hear back from the company.

Update

In response to our queries, SailPoint CISO Rex Booth shared following statement with The Hacker News –

As part of our continued commitment to transparency and security, on Monday December 2, SailPoint issued a security advisory for its Identity IQ product which was assigned CVE-2024-10905. A fix has already been released, and we’ve provided customers with guidance on how to apply it.

Publishing CVEs is a voluntary practice across the industry that demonstrates dedication to security and transparency. At SailPoint, we invest in secure development practices and strive to catch vulnerabilities prior to software release, but, as with all software, new vulnerabilities can emerge as attacker tactics and detection capabilities evolve. For this reason, we continually test our products in all stages of the development lifecycle to minimize risk to our customers. Finding and remediating vulnerabilities is a symptom of a mature security program, and a company dedicated to safeguarding the cyber ecosystem.

Source

Leave a Comment Cancel Reply

London, GB

7:58 am, Jan 18, 2025

2°C

L: 2° | H: 3°

Feels like 0°C° overcast clouds

Humidity: 89 %

Pressure: 1031 mb

Wind: 5 mph E

Wind Gust: 0 mph

UV Index: 0

Precipitation: 0 mm

Clouds: 100%

Rain Chance: 0%

Visibility: 9 km

Sunrise: 7:56 am

Sunset: 4:24 pm

DailyHourly

Daily ForecastHourly Forecast

Today 9:00 pm

2° | 3°°C 0 mm 0% 4 mph 90 % 1031 mb 0 mm/h

Tomorrow 9:00 pm

1° | 5°°C 0 mm 0% 7 mph 93 % 1024 mb 0 mm/h

Mon Jan 20 9:00 pm

3° | 8°°C 0.26 mm 26% 6 mph 97 % 1019 mb 0 mm/h

Tue Jan 21 9:00 pm

4° | 8°°C 0 mm 0% 8 mph 95 % 1019 mb 0 mm/h

Wed Jan 22 9:00 pm

4° | 7°°C 1 mm 100% 4 mph 99 % 1012 mb 0 mm/h

Today 9:00 am

2° | 2°°C 0 mm 0% 2 mph 89 % 1031 mb 0 mm/h

Today 12:00 pm

3° | 5°°C 0 mm 0% 3 mph 83 % 1031 mb 0 mm/h

Today 3:00 pm

4° | 6°°C 0 mm 0% 3 mph 75 % 1028 mb 0 mm/h

Today 6:00 pm

3° | 3°°C 0 mm 0% 4 mph 88 % 1026 mb 0 mm/h

Today 9:00 pm

2° | 2°°C 0 mm 0% 3 mph 90 % 1025 mb 0 mm/h

Tomorrow 12:00 am

2° | 2°°C 0 mm 0% 3 mph 89 % 1024 mb 0 mm/h

Tomorrow 3:00 am

1° | 1°°C 0 mm 0% 3 mph 91 % 1022 mb 0 mm/h

Tomorrow 6:00 am

1° | 1°°C 0 mm 0% 3 mph 93 % 1021 mb 0 mm/h

Name	Price	24H (%)
Bitcoin(BTC)	€99,875.59	1.11%
Ethereum(ETH)	€3,197.95	-2.65%
XRP(XRP)	€3.03	-6.17%
Tether(USDT)	€0.97	-0.03%
Solana(SOL)	€227.09	9.43%
Dogecoin(DOGE)	€0.385160	0.43%
USDC(USDC)	€0.97	0.00%
Shiba Inu(SHIB)	€0.000022	-2.80%
Pepe(PEPE)	€0.000019	-0.43%
Peanut the Squirrel(PNUT)	€0.52	-12.46%

Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

Share:

Update

Leave a Comment Cancel Reply

Utility link

Useful link

Newsletter

Follow Us