A crucial safety vulnerability has been disclosed in SailPoint’s IdentityIQ identification and entry administration (IAM) software program that enables unauthorized entry to content material saved inside the software listing.
The flaw, tracked as CVE-2024-10905, has a CVSS rating of 10.0, indicating most severity. It impacts IdentityIQ variations 8.2. 8.3, 8.4, and different earlier variations.
IdentityIQ “allows HTTP access to static content in the IdentityIQ application directory that should be protected,” in accordance with a description of the flaw on NIST’s Nationwide Vulnerability Database (NVD).
The vulnerability has been characterised as a case of improper dealing with of file names that determine digital sources (CWE-66), which might be abused to learn in any other case inaccessible information.
In an alert of its personal, SailPoint stated it has “released e-fixes for each impacted and supported version of IdentityIQ.” The precise record of variations impacted by CVE-2024-10905 is talked about beneath –
- 8.4 and all 8.4 patch ranges prior to eight.4p2
- 8.3 and all 8.3 patch ranges prior to eight.3p5
- 8.2 and all 8.2 patch ranges prior to eight.2p8, and
- All prior variations
The Hacker Information has reached out to SailPoint for remark previous to the publication of this story and can replace the piece if we hear again from the corporate.
Replace
In response to our queries, SailPoint CISO Rex Sales space shared following assertion with The Hacker Information –
As a part of our continued dedication to transparency and safety, on Monday December 2, SailPoint issued a safety advisory for its Identification IQ product which was assigned CVE-2024-10905. A repair has already been launched, and we have offered prospects with steering on easy methods to apply it.
Publishing CVEs is a voluntary follow throughout the trade that demonstrates dedication to safety and transparency. At SailPoint, we spend money on safe improvement practices and try to catch vulnerabilities previous to software program launch, however, as with all software program, new vulnerabilities can emerge as attacker techniques and detection capabilities evolve. Because of this, we regularly take a look at our merchandise in all levels of the event lifecycle to attenuate danger to our prospects. Discovering and remediating vulnerabilities is a symptom of a mature safety program, and an organization devoted to safeguarding the cyber ecosystem.
(The story was up to date after publication to incorporate a press release from SailPoint and the advisory.)
