Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

A critical security vulnerability has been disclosed in SailPoint’s IdentityIQ identity and access management (IAM) software that allows unauthorized access to content stored within the application directory.

The flaw, tracked as CVE-2024-10905, has a CVSS score of 10.0, indicating maximum severity. It affects IdentityIQ versions 8.2. 8.3, 8.4, and other previous versions.

IdentityIQ “allows HTTP access to static content in the IdentityIQ application directory that should be protected,” according to a description of the flaw on NIST’s National Vulnerability Database (NVD).

The vulnerability has been characterized as a case of improper handling of file names that identify virtual resources (CWE-66), which could be abused to read otherwise inaccessible files.

In an alert of its own, SailPoint said it has “released e-fixes for each impacted and supported version of IdentityIQ.” The exact list of versions impacted by CVE-2024-10905 is mentioned below –

8.4 and all 8.4 patch levels prior to 8.4p2
8.3 and all 8.3 patch levels prior to 8.3p5
8.2 and all 8.2 patch levels prior to 8.2p8, and
All prior versions

The Hacker News has reached out to SailPoint for comment prior to the publication of this story and will update the piece if we hear back from the company.

Update

In response to our queries, SailPoint CISO Rex Booth shared following statement with The Hacker News –

As part of our continued commitment to transparency and security, on Monday December 2, SailPoint issued a security advisory for its Identity IQ product which was assigned CVE-2024-10905. A fix has already been released, and we’ve provided customers with guidance on how to apply it.

Publishing CVEs is a voluntary practice across the industry that demonstrates dedication to security and transparency. At SailPoint, we invest in secure development practices and strive to catch vulnerabilities prior to software release, but, as with all software, new vulnerabilities can emerge as attacker tactics and detection capabilities evolve. For this reason, we continually test our products in all stages of the development lifecycle to minimize risk to our customers. Finding and remediating vulnerabilities is a symptom of a mature security program, and a company dedicated to safeguarding the cyber ecosystem.

Source

Leave a Comment Cancel Reply

London, GB

12:48 pm, Mar 16, 2025

8°C

L: 7° | H: 9°

Feels like 5°C° few clouds

Humidity: 57 %

Pressure: 1025 mb

Wind: 10 mph ENE

Wind Gust: 0 mph

UV Index: 0

Precipitation: 0 mm

Clouds: 20%

Rain Chance: 0%

Visibility: 10 km

Sunrise: 6:12 am

Sunset: 6:06 pm

DailyHourly

Daily ForecastHourly Forecast

Today 9:00 pm

7° | 9°°C 0 mm 0% 11 mph 77 % 1027 mb 0 mm/h

Tomorrow 9:00 pm

3° | 9°°C 0 mm 0% 10 mph 89 % 1029 mb 0 mm/h

Tue Mar 18 9:00 pm

4° | 10°°C 0 mm 0% 12 mph 78 % 1027 mb 0 mm/h

Wed Mar 19 9:00 pm

3° | 15°°C 0 mm 0% 7 mph 79 % 1022 mb 0 mm/h

Thu Mar 20 9:00 pm

8° | 14°°C 0 mm 0% 7 mph 78 % 1021 mb 0 mm/h

Today 3:00 pm

9° | 10°°C 0 mm 0% 11 mph 52 % 1025 mb 0 mm/h

Today 6:00 pm

8° | 8°°C 0 mm 0% 8 mph 60 % 1025 mb 0 mm/h

Today 9:00 pm

5° | 5°°C 0 mm 0% 3 mph 77 % 1027 mb 0 mm/h

Tomorrow 12:00 am

5° | 5°°C 0 mm 0% 6 mph 84 % 1027 mb 0 mm/h

Tomorrow 3:00 am

4° | 4°°C 0 mm 0% 7 mph 89 % 1027 mb 0 mm/h

Tomorrow 6:00 am

3° | 3°°C 0 mm 0% 7 mph 81 % 1028 mb 0 mm/h

Tomorrow 9:00 am

5° | 5°°C 0 mm 0% 7 mph 66 % 1029 mb 0 mm/h

Tomorrow 12:00 pm

9° | 9°°C 0 mm 0% 8 mph 52 % 1028 mb 0 mm/h

Name	Price	24H (%)
Bitcoin(BTC)	€75,754.17	-1.81%
Ethereum(ETH)	€1,724.34	-2.40%
Tether(USDT)	€0.92	-0.02%
XRP(XRP)	€2.12	-4.76%
Solana(SOL)	€119.30	-2.97%
USDC(USDC)	€0.92	0.00%
Dogecoin(DOGE)	€0.154230	-3.68%
Shiba Inu(SHIB)	€0.000012	-0.11%
Pepe(PEPE)	€0.000006	-5.06%
Peanut the Squirrel(PNUT)	€0.189019	20.47%

Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

Share:

Update

Leave a Comment Cancel Reply

Utility link

Useful link

Newsletter

Follow Us