A essential safety vulnerability has been disclosed in SailPoint’s IdentityIQ identification and entry administration (IAM) software program that enables unauthorized entry to content material saved inside the utility listing.
The flaw, tracked as CVE-2024-10905, has a CVSS rating of 10.0, indicating most severity. It impacts IdentityIQ variations 8.2. 8.3, 8.4, and different earlier variations.
IdentityIQ “permits HTTP entry to static content material within the IdentityIQ utility listing that needs to be protected,” in response to a description of the flaw on NIST’s Nationwide Vulnerability Database (NVD).
The vulnerability has been characterised as a case of improper dealing with of file names that determine digital assets (CWE-66), which might be abused to learn in any other case inaccessible recordsdata.
There are at present no different particulars accessible concerning the flaw, nor has SailPoint launched a safety advisory. The precise checklist of variations impacted by CVE-2024-10905 is listed beneath –
- 8.4 and all 8.4 patch ranges prior to eight.4p2
- 8.3 and all 8.3 patch ranges prior to eight.3p5
- 8.2 and all 8.2 patch ranges prior to eight.2p8, and
- All prior variations
The Hacker Information has reached out to SailPoint for remark previous to the publication of this story and can replace the piece if we hear again from the corporate.
