IdentityIQ Improper Access Control Vulnerability – CVE-2024-10905

Description

IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.

Affected product and versions

IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5
IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8
All previous versions of IdentityIQ
No other SailPoint products are impacted

Resolution

SailPoint has released e-fixes for each impacted and supported version of IdentityIQ. Future patch levels will include the fixes once they become available.

CVE details

CVE ID: CVE-2024-10905
Published Date: 12/02/2024
Vulnerability Type: IdentityIQ Improper Access Control Vulnerability
CWE: CWE-66
CVSS v3 Score: 10.0
CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

IdentityIQ Improper Access Control Vulnerability Security Notice