CVE-2024-10905 (CVSS 10): Critical Vulnerability in SailPoint IdentityIQ Exposes Sensitive Data
A critical vulnerability has been discovered in SailPoint IdentityIQ, a widely used identity and access management (IAM) platform. This flaw, tracked as CVE-2024-10905, has been assigned a CVSS score of 10.0, the highest possible severity rating, indicating that it is easy to exploit and could have a significant impact on affected organizations.
Improper Access Control Leads to Data Exposure
The vulnerability stems from improper access controls within IdentityIQ. Attackers can exploit this weakness to gain unauthorized access to static content within the application directory. This could include sensitive configuration files, application code, and potentially even user data.
Affected Versions
The vulnerability affects a wide range of IdentityIQ versions, including:
- IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2
- IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5
- IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8
- All previous versions of IdentityIQ
Urgent Action Required
SailPoint has released e-fixes to address this vulnerability for all supported versions of IdentityIQ. Organizations using any of the affected versions are strongly urged to apply these patches immediately. Future patch levels will also include the necessary fixes.