### #IdentityManagement #AccessControl #SecurityAdvisory
Summary: A critical vulnerability (CVE-2024-10905) in SailPoint’s IdentityIQ IAM software allows unauthorized access to protected content, with a maximum severity CVSS score of 10.0. SailPoint has released e-fixes for affected versions to mitigate this risk.
Threat Actor: Unknown | unknown
Victim: SailPoint | SailPoint
Key Point :
- The vulnerability allows HTTP access to static content that should be protected within IdentityIQ.
- Affects IdentityIQ versions 8.2, 8.3, 8.4, and all prior versions.
- Characterized as improper handling of file names (CWE-66), enabling access to otherwise restricted files.
- SailPoint has issued security advisories and fixes for all impacted versions.
- Commitment to transparency and security emphasized by SailPoint’s CISO in response to inquiries.
A critical security vulnerability has been disclosed in SailPoint’s IdentityIQ identity and access management (IAM) software that allows unauthorized access to content stored within the application directory.
The flaw, tracked as CVE-2024-10905, has a CVSS score of 10.0, indicating maximum severity. It affects IdentityIQ versions 8.2. 8.3, 8.4, and other previous versions.
IdentityIQ “allows HTTP access to static content in the IdentityIQ application directory that should be protected,” according to a description of the flaw on NIST’s National Vulnerability Database (NVD).
The vulnerability has been characterized as a case of improper handling of file names that identify virtual resources (CWE-66), which could be abused to read otherwise inaccessible files.
In an alert of its own, SailPoint said it has “released e-fixes for each impacted and supported version of IdentityIQ.” The exact list of versions impacted by CVE-2024-10905 is mentioned below –
- 8.4 and all 8.4 patch levels prior to 8.4p2
- 8.3 and all 8.3 patch levels prior to 8.3p5
- 8.2 and all 8.2 patch levels prior to 8.2p8, and
- All prior versions
The Hacker News has reached out to SailPoint for comment prior to the publication of this story and will update the piece if we hear back from the company.
Update
In response to our queries, SailPoint CISO Rex Booth shared following statement with The Hacker News –
As part of our continued commitment to transparency and security, on Monday December 2, SailPoint issued a security advisory for its Identity IQ product which was assigned CVE-2024-10905. A fix has already been released, and we’ve provided customers with guidance on how to apply it.
Publishing CVEs is a voluntary practice across the industry that demonstrates dedication to security and transparency. At SailPoint, we invest in secure development practices and strive to catch vulnerabilities prior to software release, but, as with all software, new vulnerabilities can emerge as attacker tactics and detection capabilities evolve. For this reason, we continually test our products in all stages of the development lifecycle to minimize risk to our customers. Finding and remediating vulnerabilities is a symptom of a mature security program, and a company dedicated to safeguarding the cyber ecosystem.
(The story was updated after publication to include a statement from SailPoint and the advisory.)
Source: https://thehackernews.com/2024/12/critical-sailpoint-identityiq.html