Security implication in SailPoint Identity Security Cloud IdentityProfile API Endpoints – CVE-2024-3319
Description
An issue was identified in the Identity Security Cloud (ISC) Transform preview and IdentityProfile preview API endpoints that allowed an authenticated administrator to execute user-defined templates as part of attribute transforms which could allow remote code execution on the host.
Affected product and versions
- Identity Security Cloud
Resolution
This issue has been resolved. No further action is needed.
CVE details
CVE ID: CVE-2024-3319
Published Date: 05/15/2024
Vulnerability Type: Improper Control of Generation of Code (‘Code Injection’)
CWE: CWE-94
CVSS v3 Score: 9.1 (Critical)
CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H