SailPoint IdentityIQ Unsafe use of Reflection Vulnerability- CVE-2023-32217
Description
This vulnerability allows an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.
Affected product and versions
- IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2
- IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5
- IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p6
- IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p5
Resolution
SailPoint has released e-fixes for each impacted and supported version of IdentityIQ. Future patch levels will include the fixes once they become available.
CVE details
CVE ID: CVE-2023-32217
Published Date: 05/31/2023
Vulnerability Type: Vulnerability Type Unsafe use of Reflection
CWE: CWE-470
CVSS v3 Score: 9.0
CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N