SailPoint IdentityIQ File Traversal Vulnerability – CVE-2022-46835

Description

IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, and IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow access to arbitrary files in the application server filesystem due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950

Affected product and versions

IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2

IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5

IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7

IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6

Resolution

SailPoint has released an e-fix that addresses this issue across all impacted version of IdentityIQ. Future patch levels will include this fix once they become available.

CVE details

CVE ID	CVE-2022-46835
Published Date	01/31/2023
Vulnerability Type	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE	CWE-22
CVSS v3 Score	8.8
CVSS v3 Vector	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

References

IdentityIQ JavaServer Faces File Path Traversal Vulnerability Security Notice