A critical security vulnerability has been discovered in SailPoint Identity IQ identity and access management (IAM) software that allows unauthorized access to content stored in an application directory.
Drawback tracked as CVE-2024-10905has a CVSS score of 10.0, indicating maximum severity. This affects IdentityIQ version 8.2. 8.3, 8.4 and other previous versions.
IdentityIQ “allows HTTP access to static content in the IdentityIQ application directory that must be secured,” according to description flaw in NIST’s National Vulnerability Database (NVD).
The vulnerability was described as an instance of incorrect handling of file names that identify virtual resources (CWE-66), which can be used to read inaccessible files.
There is currently no other information available about the flaw, and SailPoint has not issued a security advisory. The exact list of versions affected by CVE-2024-10905 is below –
- 8.4 and all patch levels 8.4 up to 8.4p2
- 8.3 and all patch levels 8.3 through 8.3p5
- 8.2 and all patch levels 8.2 to 8.2p8 and
- All previous versions
Hacker News reached out to SailPoint for comment before publishing this story and will update the article when it hears back from the company.
