SailPoint IdentityIQ JavaServer Faces File Path Traversal Vulnerability – CVE-2024-2227
Description
This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227.
Affected product and versions
IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p1
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p4
IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p7
IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7
All previous versions of IdentityIQ
Resolution
SailPoint has released e-fixes for each impacted and supported version of IdentityIQ. Future patch levels will include the fixes once they become available.
CVE details
| CVE ID | CVE-2024-2227 |
| Published Date | 03/21/2024 |
| Vulnerability Type | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| CWE | CWE-22 |
| CVSS v3 Score | 10.0 |
| CVSS v3 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |